wavparse: Fix parsing of adtl chunks

We have to skip 12 bytes of data for the chunk, and the data size passed to the sub-chunk parsing functions should have 4 bytes less than the data size. Also when parsing the sub-chunks, check if we actually have enough data to read instead of just crashing. https://bugzilla.gnome.org/show_bug.cgi?id=736266
author: Sebastian Dröge <sebastian@centricular.com> 2014-09-12 15:06:50 +0300
committer: Sebastian Dröge <sebastian@centricular.com> 2014-09-13 16:48:32 +0300
commit: 90628f1f465f6a832c9dff78c96c884a93d45a78 (patch)
tree: 264ab41a610f6c9225b136c863dba527e49b301d
parent: 249dd95d59387bc3fc37502c8080b94478151c4b (diff)
1 files changed, 10 insertions, 2 deletions
diff --git a/gst/wavparse/gstwavparse.c b/gst/wavparse/gstwavparse.c
index 28d206395..429b8e509 100644
--- a/gst/wavparse/gstwavparse.c
+++ b/gst/wavparse/gstwavparse.c
@@ -886,6 +886,12 @@ gst_wavparse_adtl_chunk (GstWavParse * wav, const guint8 * data, guint32 size)
   while (size >= 8) {
     ltag = GST_READ_UINT32_LE (data + offset);
     lsize = GST_READ_UINT32_LE (data + offset + 4);
+
+    if (lsize + 8 > size) {
+      GST_WARNING_OBJECT (wav, "Invalid adtl size: %u + 8 > %u", lsize, size);
+      return FALSE;
+    }
+
     switch (ltag) {
       case GST_RIFF_TAG_labl:
         gst_wavparse_labl_chunk (wav, data + offset, size);
@@ -1426,13 +1432,14 @@ gst_wavparse_stream_headers (GstWavParse * wav)
             break;
           }
           case GST_RIFF_LIST_adtl:{
-            const gint data_size = size;
+            const gint data_size = size - 4;
 
             GST_INFO_OBJECT (wav, "Have 'adtl' LIST, size %u", data_size);
             if (wav->streaming) {
               const guint8 *data = NULL;
 
               gst_adapter_flush (wav->adapter, 12);
+              wav->offset += 12;
               data = gst_adapter_map (wav->adapter, data_size);
               gst_wavparse_adtl_chunk (wav, data, data_size);
               gst_adapter_unmap (wav->adapter);
@@ -1441,8 +1448,9 @@ gst_wavparse_stream_headers (GstWavParse * wav)
 
               gst_buffer_unref (buf);
               buf = NULL;
+              wav->offset += 12;
               if ((res =
-                      gst_pad_pull_range (wav->sinkpad, wav->offset + 12,
+                      gst_pad_pull_range (wav->sinkpad, wav->offset,
                           data_size, &buf)) != GST_FLOW_OK)
                 goto header_read_error;
               gst_buffer_map (buf, &map, GST_MAP_READ);
author	Sebastian Dröge <sebastian@centricular.com>	2014-09-12 15:06:50 +0300
committer	Sebastian Dröge <sebastian@centricular.com>	2014-09-13 16:48:32 +0300
commit	90628f1f465f6a832c9dff78c96c884a93d45a78 (patch)
tree	264ab41a610f6c9225b136c863dba527e49b301d
parent	249dd95d59387bc3fc37502c8080b94478151c4b (diff)