mirror of
https://github.com/FFmpeg/FFmpeg.git
synced 2025-01-24 13:56:33 +02:00
7e5034f97e
Fixes: signed integer overflow: -1268324762623155200 * 8 cannot be represented in type 'long' Fixes: 30123/clusterfuzz-testcase-minimized-ffmpeg_dem_THREEDOSTR_fuzzer-6710765123928064 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol <onemda@gmail.com> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
203 lines
5.9 KiB
C
203 lines
5.9 KiB
C
/*
|
|
* 3DO STR demuxer
|
|
* Copyright (c) 2015 Paul B Mahol
|
|
*
|
|
* This file is part of FFmpeg.
|
|
*
|
|
* FFmpeg is free software; you can redistribute it and/or
|
|
* modify it under the terms of the GNU Lesser General Public
|
|
* License as published by the Free Software Foundation; either
|
|
* version 2.1 of the License, or (at your option) any later version.
|
|
*
|
|
* FFmpeg is distributed in the hope that it will be useful,
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
* Lesser General Public License for more details.
|
|
*
|
|
* You should have received a copy of the GNU Lesser General Public
|
|
* License along with FFmpeg; if not, write to the Free Software
|
|
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
|
|
*/
|
|
|
|
#include "libavutil/intreadwrite.h"
|
|
#include "avformat.h"
|
|
#include "internal.h"
|
|
|
|
static int threedostr_probe(const AVProbeData *p)
|
|
{
|
|
for (int i = 0; i < p->buf_size;) {
|
|
unsigned chunk = AV_RL32(p->buf + i);
|
|
unsigned size = AV_RB32(p->buf + i + 4);
|
|
|
|
if (size < 8 || p->buf_size - i < size)
|
|
return 0;
|
|
i += 8;
|
|
size -= 8;
|
|
switch (chunk) {
|
|
case MKTAG('C','T','R','L'):
|
|
break;
|
|
case MKTAG('S','N','D','S'):
|
|
if (size < 56)
|
|
return 0;
|
|
i += 8;
|
|
if (AV_RL32(p->buf + i) != MKTAG('S','H','D','R'))
|
|
return 0;
|
|
i += 28;
|
|
|
|
if (AV_RB32(p->buf + i) <= 0)
|
|
return 0;
|
|
i += 4;
|
|
if (AV_RB32(p->buf + i) <= 0)
|
|
return 0;
|
|
i += 4;
|
|
if (AV_RL32(p->buf + i) == MKTAG('S','D','X','2'))
|
|
return AVPROBE_SCORE_MAX;
|
|
else
|
|
return 0;
|
|
break;
|
|
case MKTAG('S','H','D','R'):
|
|
if (size > 0x78) {
|
|
i += 0x78;
|
|
size -= 0x78;
|
|
}
|
|
break;
|
|
default:
|
|
break;
|
|
}
|
|
|
|
i += size;
|
|
}
|
|
|
|
return 0;
|
|
}
|
|
|
|
static int threedostr_read_header(AVFormatContext *s)
|
|
{
|
|
unsigned chunk, codec = 0, size, ctrl_size = -1, found_shdr = 0;
|
|
AVStream *st;
|
|
|
|
while (!avio_feof(s->pb) && !found_shdr) {
|
|
chunk = avio_rl32(s->pb);
|
|
size = avio_rb32(s->pb);
|
|
|
|
if (size < 8)
|
|
return AVERROR_INVALIDDATA;
|
|
size -= 8;
|
|
|
|
switch (chunk) {
|
|
case MKTAG('C','T','R','L'):
|
|
ctrl_size = size;
|
|
break;
|
|
case MKTAG('S','N','D','S'):
|
|
if (size < 56)
|
|
return AVERROR_INVALIDDATA;
|
|
avio_skip(s->pb, 8);
|
|
if (avio_rl32(s->pb) != MKTAG('S','H','D','R'))
|
|
return AVERROR_INVALIDDATA;
|
|
avio_skip(s->pb, 24);
|
|
|
|
st = avformat_new_stream(s, NULL);
|
|
if (!st)
|
|
return AVERROR(ENOMEM);
|
|
|
|
st->codecpar->codec_type = AVMEDIA_TYPE_AUDIO;
|
|
st->codecpar->sample_rate = avio_rb32(s->pb);
|
|
st->codecpar->channels = avio_rb32(s->pb);
|
|
if (st->codecpar->channels <= 0 || st->codecpar->sample_rate <= 0)
|
|
return AVERROR_INVALIDDATA;
|
|
codec = avio_rl32(s->pb);
|
|
avio_skip(s->pb, 4);
|
|
if (ctrl_size == 20 || ctrl_size == 3 || ctrl_size == -1)
|
|
st->duration = (avio_rb32(s->pb) - 1) / st->codecpar->channels;
|
|
else
|
|
st->duration = avio_rb32(s->pb) * 16 / st->codecpar->channels;
|
|
size -= 56;
|
|
found_shdr = 1;
|
|
break;
|
|
case MKTAG('S','H','D','R'):
|
|
if (size > 0x78) {
|
|
avio_skip(s->pb, 0x74);
|
|
size -= 0x78;
|
|
if (avio_rl32(s->pb) == MKTAG('C','T','R','L') && size > 4) {
|
|
ctrl_size = avio_rb32(s->pb);
|
|
size -= 4;
|
|
}
|
|
}
|
|
break;
|
|
default:
|
|
av_log(s, AV_LOG_DEBUG, "skipping unknown chunk: %X\n", chunk);
|
|
break;
|
|
}
|
|
|
|
avio_skip(s->pb, size);
|
|
}
|
|
|
|
switch (codec) {
|
|
case MKTAG('S','D','X','2'):
|
|
st->codecpar->codec_id = AV_CODEC_ID_SDX2_DPCM;
|
|
st->codecpar->block_align = 1 * st->codecpar->channels;
|
|
break;
|
|
default:
|
|
avpriv_request_sample(s, "codec %X", codec);
|
|
return AVERROR_PATCHWELCOME;
|
|
}
|
|
|
|
avpriv_set_pts_info(st, 64, 1, st->codecpar->sample_rate);
|
|
|
|
return 0;
|
|
}
|
|
|
|
static int threedostr_read_packet(AVFormatContext *s, AVPacket *pkt)
|
|
{
|
|
unsigned chunk, size;
|
|
AVStream *st = s->streams[0];
|
|
int64_t pos;
|
|
int ret = 0;
|
|
|
|
while (!avio_feof(s->pb)) {
|
|
pos = avio_tell(s->pb);
|
|
chunk = avio_rl32(s->pb);
|
|
size = avio_rb32(s->pb);
|
|
|
|
if (!size)
|
|
continue;
|
|
|
|
if (size < 8)
|
|
return AVERROR_INVALIDDATA;
|
|
size -= 8;
|
|
|
|
switch (chunk) {
|
|
case MKTAG('S','N','D','S'):
|
|
if (size <= 16)
|
|
return AVERROR_INVALIDDATA;
|
|
avio_skip(s->pb, 8);
|
|
if (avio_rl32(s->pb) != MKTAG('S','S','M','P'))
|
|
return AVERROR_INVALIDDATA;
|
|
avio_skip(s->pb, 4);
|
|
size -= 16;
|
|
ret = av_get_packet(s->pb, pkt, size);
|
|
pkt->pos = pos;
|
|
pkt->stream_index = 0;
|
|
pkt->duration = size / st->codecpar->channels;
|
|
return ret;
|
|
default:
|
|
av_log(s, AV_LOG_DEBUG, "skipping unknown chunk: %X\n", chunk);
|
|
break;
|
|
}
|
|
|
|
avio_skip(s->pb, size);
|
|
}
|
|
|
|
return AVERROR_EOF;
|
|
}
|
|
|
|
AVInputFormat ff_threedostr_demuxer = {
|
|
.name = "3dostr",
|
|
.long_name = NULL_IF_CONFIG_SMALL("3DO STR"),
|
|
.read_probe = threedostr_probe,
|
|
.read_header = threedostr_read_header,
|
|
.read_packet = threedostr_read_packet,
|
|
.extensions = "str",
|
|
.flags = AVFMT_GENERIC_INDEX,
|
|
};
|