DTS reader: fixed handling of odd-length buffers in byte-swapped DTS situations

Found by fuzzying.
This commit is contained in:
Moritz Bunkus 2020-09-21 18:11:44 +02:00
parent f4c1e36d91
commit 6f3c8510f0
No known key found for this signature in database
GPG Key ID: 74AF00ADF2E32C85
3 changed files with 14 additions and 4 deletions

View File

@ -31,6 +31,9 @@
libEBML later. Found by fuzzying.
* mkvmerge: track statistics: fixed a "division by zero" error when the
content's shorter than 1ms. Found by fuzzying.
* mkvmerge: DTS reader: fixed handling of buffers with an odd length when
byte-swapped DTS is detected so that mkvmerge doesn't abort with a failed
assertion. Found by fuzzying.
# Version 50.0.0 "Awakenings" 2020-09-06

View File

@ -28,7 +28,7 @@
bool
dts_reader_c::probe_file() {
m_chunks = scan_chunks(*m_in);
m_current_chunk = std::find_if(m_chunks.begin(), m_chunks.end(), [](chunk_t const &chunk) { return chunk.type == chunk_type_e::strmdata; });
m_current_chunk = std::find_if(m_chunks.begin(), m_chunks.end(), [](chunk_t const &chunk) { return (chunk.data_size > 1) && (chunk.type == chunk_type_e::strmdata); });
if (m_current_chunk == m_chunks.end())
return false;
@ -72,7 +72,10 @@ dts_reader_c::read_headers() {
mtx::dts::detect(m_buf[m_cur_buf], m_af_buf[0]->get_size(), m_dts14_to_16, m_swap_bytes);
mxdebug_if(m_debug, fmt::format("DTS: 14->16 {0} swap {1}\n", m_dts14_to_16, m_swap_bytes));
mxdebug_if(m_debug, fmt::format("DTS: 14->16 {0} swap {1} buf size {2}\n", m_dts14_to_16, m_swap_bytes, m_af_buf[0]->get_size()));
if (m_swap_bytes && (m_af_buf[0]->get_size() % 2))
m_af_buf[0]->set_size(m_af_buf[0]->get_size() - 1);
decode_buffer(m_af_buf[0]->get_size());
int pos = mtx::dts::find_header(reinterpret_cast<const unsigned char *>(m_buf[m_cur_buf]), m_af_buf[0]->get_size(), m_dtsheader);
@ -122,6 +125,8 @@ dts_reader_c::read(generic_packetizer_c *,
return flush_packetizers();
auto bytes_to_read = std::min<int64_t>(m_current_chunk->data_end - std::min(m_in->getFilePointer(), m_current_chunk->data_end), m_af_buf[0]->get_size());
if (m_swap_bytes)
bytes_to_read &= ~0x1;
if (m_dts14_to_16)
bytes_to_read &= ~0xf;
@ -142,7 +147,9 @@ dts_reader_c::read(generic_packetizer_c *,
++m_current_chunk;
while ((m_current_chunk != chunks_end) && (m_current_chunk->type != chunk_type_e::strmdata))
while ( (m_current_chunk != chunks_end)
&& ( (m_current_chunk->data_size < 2)
|| (m_current_chunk->type != chunk_type_e::strmdata)))
++m_current_chunk;
if (m_current_chunk == chunks_end)

View File

@ -555,4 +555,4 @@ T_706bcp47_mkvmerge_tracks_disable_language_ietf:d3debb1ac7a98668c4cac753891185b
T_707bcp47_mkvmerge_chapters_disable_language_ietf:2a2202254f1e426484151e9299f83841-ok-b6807e13a6ea9a2cc609e86b3e9af87d-ok-b6807e13a6ea9a2cc609e86b3e9af87d-ok-b34723deaedf0499e3867766749863b2-ok-b34723deaedf0499e3867766749863b2-ok-b34723deaedf0499e3867766749863b2-ok-ff2908a5f9aedaca69790c4ec909a829-ok-fcf93dcc200afe462b71d16d7c9fef90-ok-fcf93dcc200afe462b71d16d7c9fef90-ok:passed:20200829-101752:0.197644079
T_708bcp47_propedit_language_ietf_disable_language_ietf:d80d696e8045ebf157d31db09142307c-und+und+ok+ger+und+ok+ger+pt_BR+ok+spa+pt_BR+ok+eng+pt_BR+ok+eng++ok:passed:20200829-103838:0.0
T_709bcp47_mkvmerge_tags:9208217d36fa9368be5a44b239286424:passed:20200903-234135:0.0
T_710fuzzying:8a854a7b177603c5291752d2f9520fa0-e805674b364be8464e5e5a40e4fbd0bf-9e16062a69f4f0f3194d4df7ffc6fe4e-1b04d1875e32404c86dbef16ddb75db0-d1eae321da2a9b9ecedb17f3c2a61a5a-8511491b33e36ad1a9edd5973af0bcc5:passed:20200921-133156:0.052004005
T_710fuzzying:8a854a7b177603c5291752d2f9520fa0-e805674b364be8464e5e5a40e4fbd0bf-9e16062a69f4f0f3194d4df7ffc6fe4e-cc7dd2e0814bf64c863f9dc279a62932-1b04d1875e32404c86dbef16ddb75db0-d1eae321da2a9b9ecedb17f3c2a61a5a-8511491b33e36ad1a9edd5973af0bcc5:passed:20200921-133156:0.059249045