--- branches/1.0rc2/libmpdemux/demux_vqf.c 2007/10/07 16:27:03 24723 +++ branches/1.0rc2/libmpdemux/demux_vqf.c 2008/12/14 15:18:41 28150 @@ -50,11 +50,14 @@ unsigned chunk_size; hi->size=chunk_size=stream_read_dword(s); /* include itself */ stream_read(s,chunk_id,4); + if (chunk_size < 8) return NULL; + chunk_size -= 8; if(*((uint32_t *)&chunk_id[0])==mmioFOURCC('C','O','M','M')) { - char buf[chunk_size-8]; + char buf[BUFSIZ]; unsigned i,subchunk_size; - if(stream_read(s,buf,chunk_size-8)!=chunk_size-8) return NULL; + if (chunk_size > sizeof(buf) || chunk_size < 20) return NULL; + if(stream_read(s,buf,chunk_size)!=chunk_size) return NULL; i=0; subchunk_size=be2me_32(*((uint32_t *)&buf[0])); hi->channelMode=be2me_32(*((uint32_t *)&buf[4])); @@ -83,13 +86,15 @@ sh_audio->samplesize = 4; w->wBitsPerSample = 8*sh_audio->samplesize; w->cbSize = 0; + if (subchunk_size > chunk_size - 4) continue; i+=subchunk_size+4; - while(i sizeof(sdata) - 1 || slen > chunk_size - i) break; if(sid==mmioFOURCC('D','S','I','Z')) { hi->Dsiz=be2me_32(*((uint32_t *)&buf[i])); @@ -141,7 +146,7 @@ if(*((uint32_t *)&chunk_id[0])==mmioFOURCC('D','A','T','A')) { demuxer->movi_start=stream_tell(s); - demuxer->movi_end=demuxer->movi_start+chunk_size-8; + demuxer->movi_end=demuxer->movi_start+chunk_size; mp_msg(MSGT_DEMUX, MSGL_V, "Found data at %"PRIX64" size %"PRIu64"\n",demuxer->movi_start,demuxer->movi_end); /* Done! play it */ break; @@ -149,7 +154,7 @@ else { mp_msg(MSGT_DEMUX, MSGL_V, "Unhandled chunk '%c%c%c%c' %u bytes\n",((char *)&chunk_id)[0],((char *)&chunk_id)[1],((char *)&chunk_id)[2],((char *)&chunk_id)[3],chunk_size); - stream_skip(s,chunk_size-8); /*unknown chunk type */ + stream_skip(s,chunk_size); /*unknown chunk type */ } }