From 6f3c8510f0676d8b529562424bc9e9e0b1bba04b Mon Sep 17 00:00:00 2001 From: Moritz Bunkus Date: Mon, 21 Sep 2020 18:11:44 +0200 Subject: [PATCH] DTS reader: fixed handling of odd-length buffers in byte-swapped DTS situations Found by fuzzying. --- NEWS.md | 3 +++ src/input/r_dts.cpp | 13 ++++++++++--- tests/results.txt | 2 +- 3 files changed, 14 insertions(+), 4 deletions(-) diff --git a/NEWS.md b/NEWS.md index cb4d0bc3c..a1245aab7 100644 --- a/NEWS.md +++ b/NEWS.md @@ -31,6 +31,9 @@ libEBML later. Found by fuzzying. * mkvmerge: track statistics: fixed a "division by zero" error when the content's shorter than 1ms. Found by fuzzying. +* mkvmerge: DTS reader: fixed handling of buffers with an odd length when + byte-swapped DTS is detected so that mkvmerge doesn't abort with a failed + assertion. Found by fuzzying. # Version 50.0.0 "Awakenings" 2020-09-06 diff --git a/src/input/r_dts.cpp b/src/input/r_dts.cpp index 75e1b9275..512377c45 100644 --- a/src/input/r_dts.cpp +++ b/src/input/r_dts.cpp @@ -28,7 +28,7 @@ bool dts_reader_c::probe_file() { m_chunks = scan_chunks(*m_in); - m_current_chunk = std::find_if(m_chunks.begin(), m_chunks.end(), [](chunk_t const &chunk) { return chunk.type == chunk_type_e::strmdata; }); + m_current_chunk = std::find_if(m_chunks.begin(), m_chunks.end(), [](chunk_t const &chunk) { return (chunk.data_size > 1) && (chunk.type == chunk_type_e::strmdata); }); if (m_current_chunk == m_chunks.end()) return false; @@ -72,7 +72,10 @@ dts_reader_c::read_headers() { mtx::dts::detect(m_buf[m_cur_buf], m_af_buf[0]->get_size(), m_dts14_to_16, m_swap_bytes); - mxdebug_if(m_debug, fmt::format("DTS: 14->16 {0} swap {1}\n", m_dts14_to_16, m_swap_bytes)); + mxdebug_if(m_debug, fmt::format("DTS: 14->16 {0} swap {1} buf size {2}\n", m_dts14_to_16, m_swap_bytes, m_af_buf[0]->get_size())); + + if (m_swap_bytes && (m_af_buf[0]->get_size() % 2)) + m_af_buf[0]->set_size(m_af_buf[0]->get_size() - 1); decode_buffer(m_af_buf[0]->get_size()); int pos = mtx::dts::find_header(reinterpret_cast(m_buf[m_cur_buf]), m_af_buf[0]->get_size(), m_dtsheader); @@ -122,6 +125,8 @@ dts_reader_c::read(generic_packetizer_c *, return flush_packetizers(); auto bytes_to_read = std::min(m_current_chunk->data_end - std::min(m_in->getFilePointer(), m_current_chunk->data_end), m_af_buf[0]->get_size()); + if (m_swap_bytes) + bytes_to_read &= ~0x1; if (m_dts14_to_16) bytes_to_read &= ~0xf; @@ -142,7 +147,9 @@ dts_reader_c::read(generic_packetizer_c *, ++m_current_chunk; - while ((m_current_chunk != chunks_end) && (m_current_chunk->type != chunk_type_e::strmdata)) + while ( (m_current_chunk != chunks_end) + && ( (m_current_chunk->data_size < 2) + || (m_current_chunk->type != chunk_type_e::strmdata))) ++m_current_chunk; if (m_current_chunk == chunks_end) diff --git a/tests/results.txt b/tests/results.txt index 88fd9ce11..364a663e6 100644 --- a/tests/results.txt +++ b/tests/results.txt @@ -555,4 +555,4 @@ T_706bcp47_mkvmerge_tracks_disable_language_ietf:d3debb1ac7a98668c4cac753891185b T_707bcp47_mkvmerge_chapters_disable_language_ietf:2a2202254f1e426484151e9299f83841-ok-b6807e13a6ea9a2cc609e86b3e9af87d-ok-b6807e13a6ea9a2cc609e86b3e9af87d-ok-b34723deaedf0499e3867766749863b2-ok-b34723deaedf0499e3867766749863b2-ok-b34723deaedf0499e3867766749863b2-ok-ff2908a5f9aedaca69790c4ec909a829-ok-fcf93dcc200afe462b71d16d7c9fef90-ok-fcf93dcc200afe462b71d16d7c9fef90-ok:passed:20200829-101752:0.197644079 T_708bcp47_propedit_language_ietf_disable_language_ietf:d80d696e8045ebf157d31db09142307c-und+und+ok+ger+und+ok+ger+pt_BR+ok+spa+pt_BR+ok+eng+pt_BR+ok+eng++ok:passed:20200829-103838:0.0 T_709bcp47_mkvmerge_tags:9208217d36fa9368be5a44b239286424:passed:20200903-234135:0.0 -T_710fuzzying:8a854a7b177603c5291752d2f9520fa0-e805674b364be8464e5e5a40e4fbd0bf-9e16062a69f4f0f3194d4df7ffc6fe4e-1b04d1875e32404c86dbef16ddb75db0-d1eae321da2a9b9ecedb17f3c2a61a5a-8511491b33e36ad1a9edd5973af0bcc5:passed:20200921-133156:0.052004005 +T_710fuzzying:8a854a7b177603c5291752d2f9520fa0-e805674b364be8464e5e5a40e4fbd0bf-9e16062a69f4f0f3194d4df7ffc6fe4e-cc7dd2e0814bf64c863f9dc279a62932-1b04d1875e32404c86dbef16ddb75db0-d1eae321da2a9b9ecedb17f3c2a61a5a-8511491b33e36ad1a9edd5973af0bcc5:passed:20200921-133156:0.059249045