summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRafaël Carré <rafael.carre@gmail.com>2010-07-26 08:59:17 +0000
committerRafaël Carré <rafael.carre@gmail.com>2010-07-26 08:59:17 +0000
commitcb86bc7e929996d6620bfdece8b56b59fc4e534e (patch)
tree595ef1b6e954ce1990f60c537665ea0efd51f7fd
parent839d62f255b54e95222ac588447e40b2d0b51475 (diff)
downloadrockbox-cb86bc7e929996d6620bfdece8b56b59fc4e534e.tar.gz
rockbox-cb86bc7e929996d6620bfdece8b56b59fc4e534e.tar.bz2
rockbox-cb86bc7e929996d6620bfdece8b56b59fc4e534e.zip
aiff metadata: skip chunks larger than buffer
Also use a stack temporary buffer bigger than id3->path Fix FS#11494 which uses a (unparsed) 410 bytes comment chunk git-svn-id: svn://svn.rockbox.org/rockbox/trunk@27570 a1c6a512-1295-4272-9138-f99709370657
-rw-r--r--apps/metadata/aiff.c70
1 files changed, 42 insertions, 28 deletions
diff --git a/apps/metadata/aiff.c b/apps/metadata/aiff.c
index 063e5d56af..07d02dbcb6 100644
--- a/apps/metadata/aiff.c
+++ b/apps/metadata/aiff.c
@@ -29,49 +29,64 @@
#include "metadata_common.h"
#include "metadata_parsers.h"
+#include "debug.h"
+
/* compressionType: AIFC QuickTime IMA ADPCM */
#define AIFC_FORMAT_QT_IMA_ADPCM "ima4"
bool get_aiff_metadata(int fd, struct mp3entry* id3)
{
- /* Use the trackname part of the id3 structure as a temporary buffer */
- unsigned char* buf = (unsigned char *)id3->path;
+ unsigned char buf[512];
unsigned long numChannels = 0;
unsigned long numSampleFrames = 0;
unsigned long numbytes = 0;
int read_bytes;
- int i;
bool is_aifc = false;
- if ((lseek(fd, 0, SEEK_SET) < 0) ||
- ((read_bytes = read(fd, buf, sizeof(id3->path))) < 54) ||
- (memcmp(buf, "FORM", 4) != 0) || (memcmp(buf + 8, "AIF", 3) != 0) ||
+ if ((lseek(fd, 0, SEEK_SET) < 0) || (read(fd, &buf[0], 12) < 12) ||
+ (memcmp(&buf[0], "FORM", 4) != 0) || (memcmp(&buf[8], "AIF", 3) != 0) ||
(!(is_aifc = (buf[11] == 'C')) && buf[11] != 'F'))
{
return false;
}
- i = 12;
- while ((numbytes == 0) && (read_bytes >= 8))
+ while((read_bytes = read(fd, &buf[0], 8)) == 8)
{
- buf += i;
- read_bytes -= i;
+ size_t size = get_long_be(&buf[4]); /* chunkSize */
+
+ if (memcmp(&buf[0], "SSND", 4) == 0)
+ {
+ numbytes = size - 8;
+ break; /* assume COMM was already read */
+ }
+
+ /* odd chunk sizes must be padded */
+ size += size & 1;
+
+ if (size > sizeof(buf))
+ {
+ DEBUGF("AIFF \"%4.4s\" chunk too large (%lu > %zd)",
+ (char*) &buf[0], size, sizeof(buf));
+ }
- /* chunkSize */
- i = get_long_be(&buf[4]);
-
- if (memcmp(buf, "COMM", 4) == 0)
+ if (memcmp(&buf[0], "COMM", 4) == 0)
{
- /* numChannels */
- numChannels = ((buf[8]<<8)|buf[9]);
- /* numSampleFrames */
- numSampleFrames = get_long_be(&buf[10]);
+ if (size > sizeof(buf) || read(fd, &buf[0], size) != (ssize_t)size)
+ return false;
+
+ numChannels = ((buf[0]<<8)|buf[1]);
+
+ numSampleFrames = get_long_be(&buf[2]);
+
/* sampleRate */
- id3->frequency = get_long_be(&buf[18]);
- id3->frequency >>= (16+14-buf[17]);
+ id3->frequency = get_long_be(&buf[10]);
+ id3->frequency >>= (16+14-buf[9]);
+
/* save format infos */
- id3->bitrate = (((buf[14]<<8)|buf[15]) * numChannels * id3->frequency) / 1000;
- if (!is_aifc || memcmp(&buf[26], AIFC_FORMAT_QT_IMA_ADPCM, 4) != 0)
+ id3->bitrate = ((buf[6]<<8)|buf[7]) * numChannels * id3->frequency;
+ id3->bitrate /= 1000;
+
+ if (!is_aifc || memcmp(&buf[18], AIFC_FORMAT_QT_IMA_ADPCM, 4) != 0)
id3->length = ((int64_t) numSampleFrames * 1000) / id3->frequency;
else
{
@@ -82,14 +97,13 @@ bool get_aiff_metadata(int fd, struct mp3entry* id3)
id3->vbr = false; /* AIFF files are CBR */
id3->filesize = filesize(fd);
}
- else if (memcmp(buf, "SSND", 4) == 0)
+ else
{
- numbytes = i - 8;
+ /* skip chunk */
+ if (lseek(fd, size, SEEK_CUR) < 0)
+ return false;
}
-
- /* odd chunk sizes must be padded */
- i += 8 + (i & 0x01);
}
- return ((numbytes != 0) && (numChannels != 0));
+ return numbytes && numChannels;
}