From d254ca17b0cd03c0d91f60c849c8da6d152068ed Mon Sep 17 00:00:00 2001 From: Kostya Shishkov Date: Fri, 3 Apr 2020 18:44:23 +0200 Subject: [PATCH] rmdemux: check that slice data fits into the frame --- nihav-realmedia/src/demuxers/realmedia.rs | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/nihav-realmedia/src/demuxers/realmedia.rs b/nihav-realmedia/src/demuxers/realmedia.rs index 8f7b101..1fa52f9 100644 --- a/nihav-realmedia/src/demuxers/realmedia.rs +++ b/nihav-realmedia/src/demuxers/realmedia.rs @@ -53,13 +53,15 @@ impl RMVideoStream { self.frame.resize(frame_size + self.hdr_size, 0); self.frame[0] = (num_slices - 1) as u8; self.frame_pos = 0; - self.add_slice(1, data); + self.add_slice(1, data).unwrap(); } - fn add_slice(&mut self, slice_no: usize, data: &[u8]) { + fn add_slice(&mut self, slice_no: usize, data: &[u8]) -> DemuxerResult<()> { + validate!(self.hdr_size + self.frame_pos + data.len() <= self.frame.len()); self.write_slice_info(slice_no); let dslice = &mut self.frame[self.hdr_size + self.frame_pos..][..data.len()]; dslice.copy_from_slice(data); self.frame_pos += data.len(); + Ok(()) } fn write_slice_info(&mut self, slice_no: usize) { let off = 1 + (slice_no - 1) * 8; @@ -580,7 +582,7 @@ println!(" got ainfo {:?}", ainfo); if packet_num == 1 { vstr.start_slice(num_pkts, frame_size as usize, slice_buf.as_slice()); } else { - vstr.add_slice(packet_num as usize, slice_buf.as_slice()); + vstr.add_slice(packet_num as usize, slice_buf.as_slice())?; } if (packet_num as usize) < num_pkts { return Err(DemuxerError::TryAgain); @@ -610,7 +612,7 @@ println!(" got ainfo {:?}", ainfo); if packet_num == 1 && frame_size == tail_size { vstr.start_slice(num_pkts, frame_size as usize, slice_buf.as_slice()); } else { - vstr.add_slice(packet_num as usize, slice_buf.as_slice()); + vstr.add_slice(packet_num as usize, slice_buf.as_slice())?; } while src.tell() < pos + (payload_size as u64) { -- 2.30.2