fix #2634 - 2 stack overflow

gpac · Oct 13, 2023 · e9b9134 · e9b9134
1 parent 7a6f636
commit e9b9134
Show file tree

Hide file tree

Showing 3 changed files with 14 additions and 13 deletions.
diff --git a/src/filters/dmx_avi.c b/src/filters/dmx_avi.c
@@ -282,11 +282,12 @@ static void avidmx_setup(GF_Filter *filter, GF_AVIDmxCtx *ctx)
 				u32 cid=0;
 				char data[8];
 				AVI_set_audio_track(ctx->avi, i);
-				AVI_read_audio(ctx->avi, data, 8, (int*)&cid);
+				if (AVI_read_audio(ctx->avi, data, 8, (int*)&cid)) {
 #ifndef GPAC_DISABLE_AV_PARSERS
-				u32 hdr = GF_4CC(data[0], data[1], data[2], data[3]);
-				cid = gf_mp3_object_type_indication(hdr);
+					u32 hdr = GF_4CC(data[0], data[1], data[2], data[3]);
+					cid = gf_mp3_object_type_indication(hdr);
 #endif
+				}
 				AVI_set_audio_position(ctx->avi, 0);
 				if (cid) codecid = cid;
 			}
@@ -552,7 +553,7 @@ GF_Err avidmx_process(GF_Filter *filter)
 			ctx->video_done = GF_TRUE;
 		}
 	}
-	
+
 	nb_done = 0;
 	count = gf_list_count(ctx->audios);
 	for (i=0; i<count; i++) {
@@ -597,7 +598,7 @@ GF_Err avidmx_process(GF_Filter *filter)
 			u64 file_offset;
 			GF_FilterPacket *dst_pck = gf_filter_pck_new_alloc(st->opid, size, &pck_data);
 			if (!dst_pck) return GF_OUT_OF_MEM;
-			
+
 			file_offset = gf_ftell(ctx->avi->fdes);
 			AVI_read_audio(ctx->avi, pck_data, size, (int*)&continuous);
 
@@ -744,4 +745,3 @@ const GF_FilterRegister *avidmx_register(GF_FilterSession *session)
 	return NULL;
 #endif
 }
-
diff --git a/src/media_tools/avilib.c b/src/media_tools/avilib.c
@@ -3036,7 +3036,8 @@ int AVI_set_audio_position(avi_t *AVI, int byte)
 
 int AVI_read_audio(avi_t *AVI, u8 *audbuf, int bytes, int *continuous)
 {
-	int nr, todo;
+	int nr;
+	u32 todo;
 	s64 pos;
 
 	if(AVI->mode==AVI_MODE_WRITE) {
@@ -3059,7 +3060,7 @@ int AVI_read_audio(avi_t *AVI, u8 *audbuf, int bytes, int *continuous)
 	while(bytes>0)
 	{
 		s64 ret;
-		int left = (int) (AVI->track[AVI->aptr].audio_index[AVI->track[AVI->aptr].audio_posc].len - AVI->track[AVI->aptr].audio_posb);
+		u32 left = (u32) (AVI->track[AVI->aptr].audio_index[AVI->track[AVI->aptr].audio_posc].len - AVI->track[AVI->aptr].audio_posb);
 		if(left==0)
 		{
 			if(AVI->track[AVI->aptr].audio_posc>=AVI->track[AVI->aptr].audio_chunks-1) return nr;
@@ -3068,16 +3069,16 @@ int AVI_read_audio(avi_t *AVI, u8 *audbuf, int bytes, int *continuous)
 			*continuous = 0;
 			continue;
 		}
-		if(bytes<left)
+		if((u32)bytes<left)
 			todo = bytes;
 		else
 			todo = left;
 		pos = AVI->track[AVI->aptr].audio_index[AVI->track[AVI->aptr].audio_posc].pos + AVI->track[AVI->aptr].audio_posb;
 		gf_fseek(AVI->fdes, pos, SEEK_SET);
-		AVI->track[AVI->aptr].audio_posb += todo;
-		if ( (ret = avi_read(AVI->fdes,audbuf+nr,todo)) != todo)
+		AVI->track[AVI->aptr].audio_posb += (int)todo;
+		if ( (ret = avi_read(AVI->fdes,audbuf+nr,todo)) != (s64)todo)
 		{
-			GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("[avilib] XXX pos = %"LLD", ret = %"LLD", todo = %ld\n", pos, ret, todo));
+			GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("[avilib] XXX pos = "LLD", ret = "LLD", todo = %ld\n", pos, ret, todo));
 			AVI_errno = AVI_ERR_READ;
 			return -1;
 		}

diff --git a/src/media_tools/mpegts.c b/src/media_tools/mpegts.c
@@ -2468,7 +2468,7 @@ static void gf_m2ts_get_adaptation_field(GF_M2TS_Demuxer *ts, GF_M2TS_Adaptation
 							break;
 						}
 						gf_bs_read_data(bs, _url, url_len);
-						_url[url_len] = 0;
+						_url[url_len >= GF_ARRAY_LENGTH(URL) ? GF_ARRAY_LENGTH(URL)-1 : url_len] = 0;
 					}
 					temi_loc.external_URL = URL;