devs/foxbox
1
0
Fork 0
forked from len0rd/rockbox
Code Pull requests Activity

aiff metadata: skip chunks larger than buffer

Browse source 
Also use a stack temporary buffer bigger than id3->path

Fix FS#11494 which uses a (unparsed) 410 bytes comment chunk

git-svn-id: svn://svn.rockbox.org/rockbox/trunk@27570 a1c6a512-1295-4272-9138-f99709370657
This commit is contained in:
Rafaël Carré 2010-07-26 08:59:17 +00:00
parent 839d62f255
commit cb86bc7e92
1 changed files with 42 additions and 28 deletions
Download patch file Download diff file Expand all files Collapse all files

70
apps/metadata/aiff.c
View file

@ -29,49 +29,64 @@
#include "metadata_common.h" #include "metadata_common.h"
#include "metadata_parsers.h" #include "metadata_parsers.h"
#include "debug.h"
/* compressionType: AIFC QuickTime IMA ADPCM */ /* compressionType: AIFC QuickTime IMA ADPCM */
#define AIFC_FORMAT_QT_IMA_ADPCM "ima4" #define AIFC_FORMAT_QT_IMA_ADPCM "ima4"
bool get_aiff_metadata(int fd, struct mp3entry* id3) bool get_aiff_metadata(int fd, struct mp3entry* id3)
{ {
/* Use the trackname part of the id3 structure as a temporary buffer */ unsigned char buf[512];
unsigned char* buf = (unsigned char *)id3->path;
unsigned long numChannels = 0; unsigned long numChannels = 0;
unsigned long numSampleFrames = 0; unsigned long numSampleFrames = 0;
unsigned long numbytes = 0; unsigned long numbytes = 0;
int read_bytes; int read_bytes;
int i;
bool is_aifc = false; bool is_aifc = false;
if ((lseek(fd, 0, SEEK_SET) < 0) || if ((lseek(fd, 0, SEEK_SET) < 0) || (read(fd, &buf[0], 12) < 12) ||
((read_bytes = read(fd, buf, sizeof(id3->path))) < 54) || (memcmp(&buf[0], "FORM", 4) != 0) || (memcmp(&buf[8], "AIF", 3) != 0) ||
(memcmp(buf, "FORM", 4) != 0) || (memcmp(buf + 8, "AIF", 3) != 0) ||
(!(is_aifc = (buf[11] == 'C')) && buf[11] != 'F')) (!(is_aifc = (buf[11] == 'C')) && buf[11] != 'F'))
{ {
return false; return false;
} }
i = 12; while((read_bytes = read(fd, &buf[0], 8)) == 8)
while ((numbytes == 0) && (read_bytes >= 8))
{ {
buf += i; size_t size = get_long_be(&buf[4]); /* chunkSize */
read_bytes -= i;
/* chunkSize */ if (memcmp(&buf[0], "SSND", 4) == 0)
i = get_long_be(&buf[4]);
if (memcmp(buf, "COMM", 4) == 0)
{ {
/* numChannels */ numbytes = size - 8;
numChannels = ((buf[8]<<8)|buf[9]); break; /* assume COMM was already read */
/* numSampleFrames */ }
numSampleFrames = get_long_be(&buf[10]);
/* odd chunk sizes must be padded */
size += size & 1;
if (size > sizeof(buf))
{
DEBUGF("AIFF \"%4.4s\" chunk too large (%lu > %zd)",
(char*) &buf[0], size, sizeof(buf));
}
if (memcmp(&buf[0], "COMM", 4) == 0)
{
if (size > sizeof(buf) || read(fd, &buf[0], size) != (ssize_t)size)
return false;
numChannels = ((buf[0]<<8)|buf[1]);
numSampleFrames = get_long_be(&buf[2]);
/* sampleRate */ /* sampleRate */
id3->frequency = get_long_be(&buf[18]); id3->frequency = get_long_be(&buf[10]);
id3->frequency >>= (16+14-buf[17]); id3->frequency >>= (16+14-buf[9]);
/* save format infos */ /* save format infos */
id3->bitrate = (((buf[14]<<8)|buf[15]) * numChannels * id3->frequency) / 1000; id3->bitrate = ((buf[6]<<8)|buf[7]) * numChannels * id3->frequency;
if (!is_aifc || memcmp(&buf[26], AIFC_FORMAT_QT_IMA_ADPCM, 4) != 0) id3->bitrate /= 1000;
if (!is_aifc || memcmp(&buf[18], AIFC_FORMAT_QT_IMA_ADPCM, 4) != 0)
id3->length = ((int64_t) numSampleFrames * 1000) / id3->frequency; id3->length = ((int64_t) numSampleFrames * 1000) / id3->frequency;
else else
{ {
@ -82,14 +97,13 @@ bool get_aiff_metadata(int fd, struct mp3entry* id3)
id3->vbr = false; /* AIFF files are CBR */ id3->vbr = false; /* AIFF files are CBR */
id3->filesize = filesize(fd); id3->filesize = filesize(fd);
} }
else if (memcmp(buf, "SSND", 4) == 0) else
{ {
numbytes = i - 8; /* skip chunk */
if (lseek(fd, size, SEEK_CUR) < 0)
return false;
} }
/* odd chunk sizes must be padded */
i += 8 + (i & 0x01);
} }
return ((numbytes != 0) && (numChannels != 0)); return numbytes && numChannels;
} }