diff options
| author | Rafaël Carré <rafael.carre@gmail.com> | 2010-07-26 08:59:17 +0000 |
|---|---|---|
| committer | Rafaël Carré <rafael.carre@gmail.com> | 2010-07-26 08:59:17 +0000 |
| commit | cb86bc7e929996d6620bfdece8b56b59fc4e534e (patch) | |
| tree | 595ef1b6e954ce1990f60c537665ea0efd51f7fd /apps/metadata/aiff.c | |
| parent | 839d62f255b54e95222ac588447e40b2d0b51475 (diff) | |
| download | rockbox-cb86bc7e929996d6620bfdece8b56b59fc4e534e.tar.gz rockbox-cb86bc7e929996d6620bfdece8b56b59fc4e534e.zip | |
aiff metadata: skip chunks larger than buffer
Also use a stack temporary buffer bigger than id3->path
Fix FS#11494 which uses a (unparsed) 410 bytes comment chunk
git-svn-id: svn://svn.rockbox.org/rockbox/trunk@27570 a1c6a512-1295-4272-9138-f99709370657
Diffstat (limited to 'apps/metadata/aiff.c')
| -rw-r--r-- | apps/metadata/aiff.c | 70 |
1 files changed, 42 insertions, 28 deletions
diff --git a/apps/metadata/aiff.c b/apps/metadata/aiff.c index 063e5d56af..07d02dbcb6 100644 --- a/apps/metadata/aiff.c +++ b/apps/metadata/aiff.c | |||
| @@ -29,49 +29,64 @@ | |||
| 29 | #include "metadata_common.h" | 29 | #include "metadata_common.h" |
| 30 | #include "metadata_parsers.h" | 30 | #include "metadata_parsers.h" |
| 31 | 31 | ||
| 32 | #include "debug.h" | ||
| 33 | |||
| 32 | /* compressionType: AIFC QuickTime IMA ADPCM */ | 34 | /* compressionType: AIFC QuickTime IMA ADPCM */ |
| 33 | #define AIFC_FORMAT_QT_IMA_ADPCM "ima4" | 35 | #define AIFC_FORMAT_QT_IMA_ADPCM "ima4" |
| 34 | 36 | ||
| 35 | bool get_aiff_metadata(int fd, struct mp3entry* id3) | 37 | bool get_aiff_metadata(int fd, struct mp3entry* id3) |
| 36 | { | 38 | { |
| 37 | /* Use the trackname part of the id3 structure as a temporary buffer */ | 39 | unsigned char buf[512]; |
| 38 | unsigned char* buf = (unsigned char *)id3->path; | ||
| 39 | unsigned long numChannels = 0; | 40 | unsigned long numChannels = 0; |
| 40 | unsigned long numSampleFrames = 0; | 41 | unsigned long numSampleFrames = 0; |
| 41 | unsigned long numbytes = 0; | 42 | unsigned long numbytes = 0; |
| 42 | int read_bytes; | 43 | int read_bytes; |
| 43 | int i; | ||
| 44 | bool is_aifc = false; | 44 | bool is_aifc = false; |
| 45 | 45 | ||
| 46 | if ((lseek(fd, 0, SEEK_SET) < 0) || | 46 | if ((lseek(fd, 0, SEEK_SET) < 0) || (read(fd, &buf[0], 12) < 12) || |
| 47 | ((read_bytes = read(fd, buf, sizeof(id3->path))) < 54) || | 47 | (memcmp(&buf[0], "FORM", 4) != 0) || (memcmp(&buf[8], "AIF", 3) != 0) || |
| 48 | (memcmp(buf, "FORM", 4) != 0) || (memcmp(buf + 8, "AIF", 3) != 0) || | ||
| 49 | (!(is_aifc = (buf[11] == 'C')) && buf[11] != 'F')) | 48 | (!(is_aifc = (buf[11] == 'C')) && buf[11] != 'F')) |
| 50 | { | 49 | { |
| 51 | return false; | 50 | return false; |
| 52 | } | 51 | } |
| 53 | 52 | ||
| 54 | i = 12; | 53 | while((read_bytes = read(fd, &buf[0], 8)) == 8) |
| 55 | while ((numbytes == 0) && (read_bytes >= 8)) | ||
| 56 | { | 54 | { |
| 57 | buf += i; | 55 | size_t size = get_long_be(&buf[4]); /* chunkSize */ |
| 58 | read_bytes -= i; | 56 | |
| 57 | if (memcmp(&buf[0], "SSND", 4) == 0) | ||
| 58 | { | ||
| 59 | numbytes = size - 8; | ||
| 60 | break; /* assume COMM was already read */ | ||
| 61 | } | ||
| 62 | |||
| 63 | /* odd chunk sizes must be padded */ | ||
| 64 | size += size & 1; | ||
| 65 | |||
| 66 | if (size > sizeof(buf)) | ||
| 67 | { | ||
| 68 | DEBUGF("AIFF \"%4.4s\" chunk too large (%lu > %zd)", | ||
| 69 | (char*) &buf[0], size, sizeof(buf)); | ||
| 70 | } | ||
| 59 | 71 | ||
| 60 | /* chunkSize */ | 72 | if (memcmp(&buf[0], "COMM", 4) == 0) |
| 61 | i = get_long_be(&buf[4]); | ||
| 62 | |||
| 63 | if (memcmp(buf, "COMM", 4) == 0) | ||
| 64 | { | 73 | { |
| 65 | /* numChannels */ | 74 | if (size > sizeof(buf) || read(fd, &buf[0], size) != (ssize_t)size) |
| 66 | numChannels = ((buf[8]<<8)|buf[9]); | 75 | return false; |
| 67 | /* numSampleFrames */ | 76 | |
| 68 | numSampleFrames = get_long_be(&buf[10]); | 77 | numChannels = ((buf[0]<<8)|buf[1]); |
| 78 | |||
| 79 | numSampleFrames = get_long_be(&buf[2]); | ||
| 80 | |||
| 69 | /* sampleRate */ | 81 | /* sampleRate */ |
| 70 | id3->frequency = get_long_be(&buf[18]); | 82 | id3->frequency = get_long_be(&buf[10]); |
| 71 | id3->frequency >>= (16+14-buf[17]); | 83 | id3->frequency >>= (16+14-buf[9]); |
| 84 | |||
| 72 | /* save format infos */ | 85 | /* save format infos */ |
| 73 | id3->bitrate = (((buf[14]<<8)|buf[15]) * numChannels * id3->frequency) / 1000; | 86 | id3->bitrate = ((buf[6]<<8)|buf[7]) * numChannels * id3->frequency; |
| 74 | if (!is_aifc || memcmp(&buf[26], AIFC_FORMAT_QT_IMA_ADPCM, 4) != 0) | 87 | id3->bitrate /= 1000; |
| 88 | |||
| 89 | if (!is_aifc || memcmp(&buf[18], AIFC_FORMAT_QT_IMA_ADPCM, 4) != 0) | ||
| 75 | id3->length = ((int64_t) numSampleFrames * 1000) / id3->frequency; | 90 | id3->length = ((int64_t) numSampleFrames * 1000) / id3->frequency; |
| 76 | else | 91 | else |
| 77 | { | 92 | { |
| @@ -82,14 +97,13 @@ bool get_aiff_metadata(int fd, struct mp3entry* id3) | |||
| 82 | id3->vbr = false; /* AIFF files are CBR */ | 97 | id3->vbr = false; /* AIFF files are CBR */ |
| 83 | id3->filesize = filesize(fd); | 98 | id3->filesize = filesize(fd); |
| 84 | } | 99 | } |
| 85 | else if (memcmp(buf, "SSND", 4) == 0) | 100 | else |
| 86 | { | 101 | { |
| 87 | numbytes = i - 8; | 102 | /* skip chunk */ |
| 103 | if (lseek(fd, size, SEEK_CUR) < 0) | ||
| 104 | return false; | ||
| 88 | } | 105 | } |
| 89 | |||
| 90 | /* odd chunk sizes must be padded */ | ||
| 91 | i += 8 + (i & 0x01); | ||
| 92 | } | 106 | } |
| 93 | 107 | ||
| 94 | return ((numbytes != 0) && (numChannels != 0)); | 108 | return numbytes && numChannels; |
| 95 | } | 109 | } |