diff options
| author | Solomon Peachy <pizza@shaftnet.org> | 2021-05-12 18:22:06 -0400 |
|---|---|---|
| committer | Solomon Peachy <pizza@shaftnet.org> | 2021-05-12 18:22:06 -0400 |
| commit | 942b1dd072abc071a4024adc5198976878024bcb (patch) | |
| tree | fec6a7e35902db07c24ee5b56bb01ee736db30c6 | |
| parent | 84a3cbe24dd4d5362f758aa7f70278f85742c1c2 (diff) | |
| download | rockbox-942b1dd072abc071a4024adc5198976878024bcb.tar.gz rockbox-942b1dd072abc071a4024adc5198976878024bcb.zip | |
FS13094: Fix a divide-by-zero crash parsing zero-length WMA/ASF files
Change-Id: I2e90692327c69c4467a586b23b877c596b8d2c40
| -rw-r--r-- | lib/rbcodec/metadata/asf.c | 16 |
1 files changed, 8 insertions, 8 deletions
diff --git a/lib/rbcodec/metadata/asf.c b/lib/rbcodec/metadata/asf.c index 9a74ada453..13e193ae35 100644 --- a/lib/rbcodec/metadata/asf.c +++ b/lib/rbcodec/metadata/asf.c | |||
| @@ -274,13 +274,13 @@ static int asf_parse_header(int fd, struct mp3entry* id3, | |||
| 274 | } | 274 | } |
| 275 | 275 | ||
| 276 | fileprop = 1; | 276 | fileprop = 1; |
| 277 | 277 | ||
| 278 | /* Get the number of logical packets - uint64_t at offset 32 | 278 | /* Get the number of logical packets - uint64_t at offset 32 |
| 279 | * (little endian byte order) */ | 279 | * (little endian byte order) */ |
| 280 | lseek(fd, 32, SEEK_CUR); | 280 | lseek(fd, 32, SEEK_CUR); |
| 281 | read_uint64le(fd, &wfx->numpackets); | 281 | read_uint64le(fd, &wfx->numpackets); |
| 282 | /*DEBUGF("read packets: %llx %lld\n", wfx->numpackets, wfx->numpackets);*/ | 282 | /*DEBUGF("read packets: %llx %lld\n", wfx->numpackets, wfx->numpackets);*/ |
| 283 | 283 | ||
| 284 | /* Now get the play duration - uint64_t at offset 40 */ | 284 | /* Now get the play duration - uint64_t at offset 40 */ |
| 285 | read_uint64le(fd, &play_duration); | 285 | read_uint64le(fd, &play_duration); |
| 286 | id3->length = play_duration / 10000; | 286 | id3->length = play_duration / 10000; |
| @@ -338,7 +338,7 @@ static int asf_parse_header(int fd, struct mp3entry* id3, | |||
| 338 | read_uint16le(fd, &wfx->datalen); | 338 | read_uint16le(fd, &wfx->datalen); |
| 339 | 339 | ||
| 340 | /*sanity check the included bitrate by comparing to file size and length*/ | 340 | /*sanity check the included bitrate by comparing to file size and length*/ |
| 341 | unsigned int estimated_bitrate = (wfx->packet_size*wfx->numpackets)/id3->length*8000; | 341 | unsigned int estimated_bitrate = id3->length ? (wfx->packet_size*wfx->numpackets)/id3->length*8000 : 0; |
| 342 | 342 | ||
| 343 | /*in theory we could just use the estimated bitrate always, | 343 | /*in theory we could just use the estimated bitrate always, |
| 344 | but its safer to underestimate*/ | 344 | but its safer to underestimate*/ |
| @@ -484,22 +484,22 @@ static int asf_parse_header(int fd, struct mp3entry* id3, | |||
| 484 | } else if (!strcmp("WM/Picture", utf8buf)) { | 484 | } else if (!strcmp("WM/Picture", utf8buf)) { |
| 485 | uint32_t datalength, strlength; | 485 | uint32_t datalength, strlength; |
| 486 | /* Expected is either "01 00 xx xx 03 yy yy yy yy" or | 486 | /* Expected is either "01 00 xx xx 03 yy yy yy yy" or |
| 487 | * "03 yy yy yy yy". xx is the size of the WM/Picture | 487 | * "03 yy yy yy yy". xx is the size of the WM/Picture |
| 488 | * container in bytes. yy equals the raw data length of | 488 | * container in bytes. yy equals the raw data length of |
| 489 | * the embedded image. */ | 489 | * the embedded image. */ |
| 490 | lseek(fd, -4, SEEK_CUR); | 490 | lseek(fd, -4, SEEK_CUR); |
| 491 | read(fd, &type, 1); | 491 | read(fd, &type, 1); |
| 492 | if (type == 1) { | 492 | if (type == 1) { |
| 493 | lseek(fd, 3, SEEK_CUR); | 493 | lseek(fd, 3, SEEK_CUR); |
| 494 | read(fd, &type, 1); | 494 | read(fd, &type, 1); |
| 495 | /* In case the parsing will fail in the next step we | 495 | /* In case the parsing will fail in the next step we |
| 496 | * might at least be able to skip the whole section. */ | 496 | * might at least be able to skip the whole section. */ |
| 497 | datalength = length - 1; | 497 | datalength = length - 1; |
| 498 | } | 498 | } |
| 499 | if (type == 3) { | 499 | if (type == 3) { |
| 500 | /* Read the raw data length of the embedded image. */ | 500 | /* Read the raw data length of the embedded image. */ |
| 501 | read_uint32le(fd, &datalength); | 501 | read_uint32le(fd, &datalength); |
| 502 | 502 | ||
| 503 | /* Reset utf8 buffer */ | 503 | /* Reset utf8 buffer */ |
| 504 | utf8 = utf8buf; | 504 | utf8 = utf8buf; |
| 505 | utf8length = 512; | 505 | utf8length = 512; |
| @@ -528,7 +528,7 @@ static int asf_parse_header(int fd, struct mp3entry* id3, | |||
| 528 | id3->has_embedded_albumart = true; | 528 | id3->has_embedded_albumart = true; |
| 529 | } | 529 | } |
| 530 | } | 530 | } |
| 531 | 531 | ||
| 532 | lseek(fd, datalength, SEEK_CUR); | 532 | lseek(fd, datalength, SEEK_CUR); |
| 533 | #endif | 533 | #endif |
| 534 | } else { | 534 | } else { |