read_asf_header() sanity-check header len.

[paraslash.git] / wma_common.c

diff --git a/wma_common.c b/wma_common.c
index 5ea92c73948f70a66ff80aa830adba857f582a4f..3326cfff6148128f08ebc3b388ee82711a3c9ed5 100644 (file)
--- a/wma_common.c
+++ b/wma_common.c
@@ -25,8 +25,6 @@ const char *search_pattern(const char *pattern, int pattern_len, const char *buf
 {
        const char *p, *end = buf + buf_size;
 
-       if (pattern_len > buf_size)
-               return NULL;
        for (p = buf; p + pattern_len < end; p++) {
                if (memcmp(p, pattern, pattern_len))
                        continue;
@@ -49,7 +47,7 @@ static int find_audio_stream_info(const char *buf, int len)
        if (!p)
                return -E_WMA_NO_GUID;
        PARA_DEBUG_LOG("found audio stream guid@%0zx\n", p - buf);
-       return p - buf;
+       return p - buf + 16;
 }
 
 static int read_header_len(char *buf, int len)
@@ -64,8 +62,14 @@ static int read_header_len(char *buf, int len)
 }
 
 /**
+ * Read an asf audio file header.
+ *
+ * \param buf The input buffer.
+ * \param loaded Number of bytes in \a buf.
+ * \param ahi Result pointer.
+ *
  * \return Negative on errors, zero if more data is needed in order to read the
- * full header. Positive header length on success.
+ * full header, 1 on success.
  */
 int read_asf_header(char *buf, int loaded, struct asf_header_info *ahi)
 {
@@ -80,9 +84,10 @@ int read_asf_header(char *buf, int loaded, struct asf_header_info *ahi)
        ret = find_audio_stream_info(buf, ahi->header_len);
        if (ret < 0)
                return ret;
-       ahi->audio_stream_info_start = ret + 16;
+       if (ret + 62 > loaded)
+               return 0;
+       ahi->audio_stream_info_start = ret;
        start = buf + ahi->audio_stream_info_start;
-
        ahi->channels = ((uint8_t *)start)[40];
        ahi->sample_rate = read_u16(start + 42);
        PARA_NOTICE_LOG("%d channels, sample rate: %d\n", ahi->channels,