ref: 062400233caf4dffbb462c8c0dc071fc2483bea2
parent: ef31633af61cd197e50a65893c85a3b36c2c3025
author: knik <knik@users.sourceforge.net>
date: Sun Jul 16 04:19:41 EDT 2017
in the end it turned out faad crashes with Fabian's recent patches so I had to reverse it
--- a/common/mp4ff/mp4atom.c
+++ b/common/mp4ff/mp4atom.c
@@ -258,9 +258,6 @@
static int32_t mp4ff_read_stsz(mp4ff_t *f)
{- if (f->total_tracks == 0)
- return f->error++;
-
mp4ff_read_char(f); /* version */
mp4ff_read_int24(f); /* flags */
f->track[f->total_tracks - 1]->stsz_sample_size = mp4ff_read_int32(f);
@@ -272,10 +269,7 @@
f->track[f->total_tracks - 1]->stsz_table =
(int32_t*)malloc(f->track[f->total_tracks - 1]->stsz_sample_count*sizeof(int32_t));
- if (!f->track[f->total_tracks - 1]->stsz_table)
- return f->error++;
-
- for (i = 0; i < f->track[f->total_tracks - 1]->stsz_sample_count && !f->stream->read_error; i++)
+ for (i = 0; i < f->track[f->total_tracks - 1]->stsz_sample_count; i++)
{f->track[f->total_tracks - 1]->stsz_table[i] = mp4ff_read_int32(f);
}
@@ -289,9 +283,6 @@
uint8_t tag;
uint32_t temp;
- if (f->total_tracks == 0)
- return f->error++;
-
mp4ff_read_char(f); /* version */
mp4ff_read_int24(f); /* flags */
@@ -356,9 +347,6 @@
uint8_t atom_type = 0;
uint8_t header_size = 0;
- if (f->total_tracks == 0)
- return f->error++;
-
for (i = 0; i < 6; i++)
{mp4ff_read_char(f); /* reserved */
@@ -392,16 +380,12 @@
int32_t i;
uint8_t header_size = 0;
- /* CVE-2017-9218 */
- if (f->total_tracks == 0)
- return f->error++;
-
mp4ff_read_char(f); /* version */
mp4ff_read_int24(f); /* flags */
f->track[f->total_tracks - 1]->stsd_entry_count = mp4ff_read_int32(f);
- for (i = 0; i < f->track[f->total_tracks - 1]->stsd_entry_count && !f->stream->read_error; i++) /* CVE-2017-9253 */
+ for (i = 0; i < f->track[f->total_tracks - 1]->stsd_entry_count; i++)
{uint64_t skip = mp4ff_position(f);
uint64_t size;
@@ -431,9 +415,6 @@
{int32_t i;
- if (f->total_tracks == 0)
- return f->error++;
-
mp4ff_read_char(f); /* version */
mp4ff_read_int24(f); /* flags */
f->track[f->total_tracks - 1]->stsc_entry_count = mp4ff_read_int32(f);
@@ -445,28 +426,8 @@
f->track[f->total_tracks - 1]->stsc_sample_desc_index =
(int32_t*)malloc(f->track[f->total_tracks - 1]->stsc_entry_count*sizeof(int32_t));
- /* CVE-2017-9219 */
- if (!f->track[f->total_tracks - 1]->stsc_first_chunk)
+ for (i = 0; i < f->track[f->total_tracks - 1]->stsc_entry_count; i++)
{- return f->error++;
- }
- if (!f->track[f->total_tracks - 1]->stsc_samples_per_chunk)
- {- free(f->track[f->total_tracks - 1]->stsc_first_chunk);
- f->track[f->total_tracks - 1]->stsc_first_chunk = NULL;
- return f->error++;
- }
- if (!f->track[f->total_tracks - 1]->stsc_sample_desc_index)
- {- free(f->track[f->total_tracks - 1]->stsc_first_chunk);
- f->track[f->total_tracks - 1]->stsc_first_chunk = NULL;
- free(f->track[f->total_tracks - 1]->stsc_samples_per_chunk);
- f->track[f->total_tracks - 1]->stsc_samples_per_chunk = NULL;
- return f->error++;
- }
-
- for (i = 0; i < f->track[f->total_tracks - 1]->stsc_entry_count && !f->stream->read_error; i++) /* CVE-2017-9255 */
- {f->track[f->total_tracks - 1]->stsc_first_chunk[i] = mp4ff_read_int32(f);
f->track[f->total_tracks - 1]->stsc_samples_per_chunk[i] = mp4ff_read_int32(f);
f->track[f->total_tracks - 1]->stsc_sample_desc_index[i] = mp4ff_read_int32(f);
@@ -479,9 +440,6 @@
{int32_t i;
- if (f->total_tracks == 0)
- return f->error++;
-
mp4ff_read_char(f); /* version */
mp4ff_read_int24(f); /* flags */
f->track[f->total_tracks - 1]->stco_entry_count = mp4ff_read_int32(f);
@@ -489,11 +447,7 @@
f->track[f->total_tracks - 1]->stco_chunk_offset =
(int32_t*)malloc(f->track[f->total_tracks - 1]->stco_entry_count*sizeof(int32_t));
- /* CVE-2017-9220 */
- if (!f->track[f->total_tracks - 1]->stco_chunk_offset)
- return f->error++;
-
- for (i = 0; i < f->track[f->total_tracks - 1]->stco_entry_count && !f->stream->read_error; i++) /* CVE-2017-9256 */
+ for (i = 0; i < f->track[f->total_tracks - 1]->stco_entry_count; i++)
{f->track[f->total_tracks - 1]->stco_chunk_offset[i] = mp4ff_read_int32(f);
}
@@ -504,12 +458,8 @@
static int32_t mp4ff_read_ctts(mp4ff_t *f)
{int32_t i;
- mp4ff_track_t * p_track;
+ mp4ff_track_t * p_track = f->track[f->total_tracks - 1];
- if (f->total_tracks == 0)
- return f->error++;
-
- p_track = f->track[f->total_tracks - 1];
if (p_track->ctts_entry_count) return 0;
mp4ff_read_char(f); /* version */
@@ -528,7 +478,7 @@
}
else
{- for (i = 0; i < f->track[f->total_tracks - 1]->ctts_entry_count && !f->stream->read_error; i++) /* CVE-2017-9257 */
+ for (i = 0; i < f->track[f->total_tracks - 1]->ctts_entry_count; i++)
{p_track->ctts_sample_count[i] = mp4ff_read_int32(f);
p_track->ctts_sample_offset[i] = mp4ff_read_int32(f);
@@ -540,14 +490,8 @@
static int32_t mp4ff_read_stts(mp4ff_t *f)
{int32_t i;
- mp4ff_track_t * p_track;
+ mp4ff_track_t * p_track = f->track[f->total_tracks - 1];
- /* CVE-2017-9223 */
- if (f->total_tracks == 0)
- return f->error++;
-
- p_track = f->track[f->total_tracks - 1];
-
if (p_track->stts_entry_count) return 0;
mp4ff_read_char(f); /* version */
@@ -566,7 +510,7 @@
}
else
{- for (i = 0; i < f->track[f->total_tracks - 1]->stts_entry_count && !f->stream->read_error; i++) /* CVE-2017-9254 */
+ for (i = 0; i < f->track[f->total_tracks - 1]->stts_entry_count; i++)
{p_track->stts_sample_count[i] = mp4ff_read_int32(f);
p_track->stts_sample_delta[i] = mp4ff_read_int32(f);
@@ -652,10 +596,6 @@
static int32_t mp4ff_read_mdhd(mp4ff_t *f)
{uint32_t version;
-
- /* CVE-2017-9221 */
- if (f->total_tracks == 0)
- return f->error++;
version = mp4ff_read_int32(f);
if (version==1)
--- a/common/mp4ff/mp4ff.c
+++ b/common/mp4ff/mp4ff.c
@@ -42,12 +42,6 @@
parse_atoms(ff,0);
- if (ff->error)
- {- free(ff);
- ff = NULL;
- }
-
return ff;
}
@@ -61,12 +55,6 @@
parse_atoms(ff,1);
- if (ff->error)
- {- free(ff);
- ff = NULL;
- }
-
return ff;
}
@@ -113,17 +101,10 @@
if (ff) free(ff);
}
-static void mp4ff_track_add(mp4ff_t *f)
+void mp4ff_track_add(mp4ff_t *f)
{f->total_tracks++;
- if (f->total_tracks > MAX_TRACKS)
- {- f->total_tracks = 0;
- f->error++;
- return;
- }
-
f->track[f->total_tracks - 1] = malloc(sizeof(mp4ff_track_t));
memset(f->track[f->total_tracks - 1], 0, sizeof(mp4ff_track_t));
@@ -204,7 +185,6 @@
uint8_t header_size = 0;
f->file_size = 0;
- f->stream->read_error = 0;
while ((size = mp4ff_atom_read_header(f, &atom_type, &header_size)) != 0)
{--- a/common/mp4ff/mp4ffint.h
+++ b/common/mp4ff/mp4ffint.h
@@ -144,7 +144,6 @@
uint32_t (*seek)(void *user_data, uint64_t position);
uint32_t (*truncate)(void *user_data);
void *user_data;
- uint32_t read_error;
} mp4ff_callback_t;
@@ -224,7 +223,6 @@
uint64_t moov_size;
uint8_t last_atom;
uint64_t file_size;
- uint32_t error;
/* mvhd */
int32_t time_scale;
--- a/common/mp4ff/mp4meta.c
+++ b/common/mp4ff/mp4meta.c
@@ -240,7 +240,7 @@
uint32_t len = 0;
- while (sumsize < size && !f->stream->read_error) /* CVE-2017-9222 */
+ while (sumsize < size)
{uint64_t destpos;
subsize = mp4ff_atom_read_header(f, &atom_type, &header_size);
@@ -500,4 +500,4 @@
return mp4ff_meta_find_by_name_and_return_len(f, "cover", value);
}
-#endif
+#endif
\ No newline at end of file
--- a/common/mp4ff/mp4util.c
+++ b/common/mp4ff/mp4util.c
@@ -37,9 +37,6 @@
result = f->stream->read(f->stream->user_data, data, size);
- if (result < size)
- f->stream->read_error++;
-
f->current_position += size;
return result;