From 8ae5eb75df683069b04cf45bfa9d25fbb161c996 Mon Sep 17 00:00:00 2001 From: David Goldwich Date: Fri, 2 Dec 2011 05:54:20 +0100 Subject: [PATCH] oma: better format detection with small probe buffer Signed-off-by: David Goldwich Signed-off-by: Anton Khirnov --- libavformat/oma.c | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/libavformat/oma.c b/libavformat/oma.c index 0d81a43dfd..4f4837d63b 100644 --- a/libavformat/oma.c +++ b/libavformat/oma.c @@ -394,14 +394,20 @@ static int oma_read_probe(AVProbeData *p) unsigned tag_len = 0; buf = p->buf; - /* version must be 3 and flags byte zero */ - if (ff_id3v2_match(buf, ID3v2_EA3_MAGIC) && buf[3] == 3 && !buf[4]) - tag_len = ff_id3v2_tag_len(buf); - // This check cannot overflow as tag_len has at most 28 bits - if (p->buf_size < tag_len + 5) + if (p->buf_size < ID3v2_HEADER_SIZE || + !ff_id3v2_match(buf, ID3v2_EA3_MAGIC) || + buf[3] != 3 || // version must be 3 + buf[4]) // flags byte zero return 0; + tag_len = ff_id3v2_tag_len(buf); + + /* This check cannot overflow as tag_len has at most 28 bits */ + if (p->buf_size < tag_len + 5) + /* EA3 header comes late, might be outside of the probe buffer */ + return AVPROBE_SCORE_MAX / 2; + buf += tag_len; if (!memcmp(buf, "EA3", 3) && !buf[4] && buf[5] == EA3_HEADER_SIZE)