riff: Validate the wav header size before trying to parse it
[libav.git] / libavformat / riffdec.c
1 /*
2 * RIFF demuxing functions and data
3 * Copyright (c) 2000 Fabrice Bellard
4 *
5 * This file is part of Libav.
6 *
7 * Libav is free software; you can redistribute it and/or
8 * modify it under the terms of the GNU Lesser General Public
9 * License as published by the Free Software Foundation; either
10 * version 2.1 of the License, or (at your option) any later version.
11 *
12 * Libav is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15 * Lesser General Public License for more details.
16 *
17 * You should have received a copy of the GNU Lesser General Public
18 * License along with Libav; if not, write to the Free Software
19 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
20 */
21
22 #include "libavutil/dict.h"
23 #include "libavutil/error.h"
24 #include "libavutil/log.h"
25 #include "libavutil/mathematics.h"
26 #include "libavcodec/avcodec.h"
27 #include "libavcodec/bytestream.h"
28 #include "avformat.h"
29 #include "avio_internal.h"
30 #include "riff.h"
31
32 const AVCodecGuid ff_codec_wav_guids[] = {
33 { AV_CODEC_ID_AC3, { 0x2C, 0x80, 0x6D, 0xE0, 0x46, 0xDB, 0xCF, 0x11, 0xB4, 0xD1, 0x00, 0x80, 0x5F, 0x6C, 0xBB, 0xEA } },
34 { AV_CODEC_ID_ATRAC3P, { 0xBF, 0xAA, 0x23, 0xE9, 0x58, 0xCB, 0x71, 0x44, 0xA1, 0x19, 0xFF, 0xFA, 0x01, 0xE4, 0xCE, 0x62 } },
35 { AV_CODEC_ID_EAC3, { 0xAF, 0x87, 0xFB, 0xA7, 0x02, 0x2D, 0xFB, 0x42, 0xA4, 0xD4, 0x05, 0xCD, 0x93, 0x84, 0x3B, 0xDD } },
36 { AV_CODEC_ID_MP2, { 0x2B, 0x80, 0x6D, 0xE0, 0x46, 0xDB, 0xCF, 0x11, 0xB4, 0xD1, 0x00, 0x80, 0x5F, 0x6C, 0xBB, 0xEA } },
37 { AV_CODEC_ID_NONE }
38 };
39
40 enum AVCodecID ff_codec_guid_get_id(const AVCodecGuid *guids, ff_asf_guid guid)
41 {
42 int i;
43 for (i = 0; guids[i].id != AV_CODEC_ID_NONE; i++)
44 if (!ff_guidcmp(guids[i].guid, guid))
45 return guids[i].id;
46 return AV_CODEC_ID_NONE;
47 }
48
49 /* We could be given one of the three possible structures here:
50 * WAVEFORMAT, PCMWAVEFORMAT or WAVEFORMATEX. Each structure
51 * is an expansion of the previous one with the fields added
52 * at the bottom. PCMWAVEFORMAT adds 'WORD wBitsPerSample' and
53 * WAVEFORMATEX adds 'WORD cbSize' and basically makes itself
54 * an openended structure.
55 */
56
57 static void parse_waveformatex(AVIOContext *pb, AVCodecContext *c)
58 {
59 ff_asf_guid subformat;
60 c->bits_per_coded_sample = avio_rl16(pb);
61 c->channel_layout = avio_rl32(pb); /* dwChannelMask */
62
63 ff_get_guid(pb, &subformat);
64 if (!memcmp(subformat + 4,
65 (const uint8_t[]){ FF_MEDIASUBTYPE_BASE_GUID }, 12)) {
66 c->codec_tag = AV_RL32(subformat);
67 c->codec_id = ff_wav_codec_get_id(c->codec_tag,
68 c->bits_per_coded_sample);
69 } else {
70 c->codec_id = ff_codec_guid_get_id(ff_codec_wav_guids, subformat);
71 if (!c->codec_id)
72 av_log(c, AV_LOG_WARNING,
73 "unknown subformat:"FF_PRI_GUID"\n",
74 FF_ARG_GUID(subformat));
75 }
76 }
77
78 int ff_get_wav_header(AVIOContext *pb, AVCodecContext *codec, int size)
79 {
80 int id;
81
82 if (size < 14)
83 return AVERROR_INVALIDDATA;
84
85 id = avio_rl16(pb);
86 codec->codec_type = AVMEDIA_TYPE_AUDIO;
87 codec->channels = avio_rl16(pb);
88 codec->sample_rate = avio_rl32(pb);
89 codec->bit_rate = avio_rl32(pb) * 8;
90 codec->block_align = avio_rl16(pb);
91 if (size == 14) { /* We're dealing with plain vanilla WAVEFORMAT */
92 codec->bits_per_coded_sample = 8;
93 } else
94 codec->bits_per_coded_sample = avio_rl16(pb);
95 if (id == 0xFFFE) {
96 codec->codec_tag = 0;
97 } else {
98 codec->codec_tag = id;
99 codec->codec_id = ff_wav_codec_get_id(id,
100 codec->bits_per_coded_sample);
101 }
102 if (size >= 18) { /* We're obviously dealing with WAVEFORMATEX */
103 int cbSize = avio_rl16(pb); /* cbSize */
104 size -= 18;
105 cbSize = FFMIN(size, cbSize);
106 if (cbSize >= 22 && id == 0xfffe) { /* WAVEFORMATEXTENSIBLE */
107 parse_waveformatex(pb, codec);
108 cbSize -= 22;
109 size -= 22;
110 }
111 codec->extradata_size = cbSize;
112 if (cbSize > 0) {
113 av_free(codec->extradata);
114 codec->extradata = av_mallocz(codec->extradata_size +
115 FF_INPUT_BUFFER_PADDING_SIZE);
116 if (!codec->extradata)
117 return AVERROR(ENOMEM);
118 avio_read(pb, codec->extradata, codec->extradata_size);
119 size -= cbSize;
120 }
121
122 /* It is possible for the chunk to contain garbage at the end */
123 if (size > 0)
124 avio_skip(pb, size);
125 }
126 if (codec->sample_rate <= 0) {
127 av_log(NULL, AV_LOG_ERROR,
128 "Invalid sample rate: %d\n", codec->sample_rate);
129 return AVERROR_INVALIDDATA;
130 }
131 if (codec->codec_id == AV_CODEC_ID_AAC_LATM) {
132 /* Channels and sample_rate values are those prior to applying SBR
133 * and/or PS. */
134 codec->channels = 0;
135 codec->sample_rate = 0;
136 }
137 /* override bits_per_coded_sample for G.726 */
138 if (codec->codec_id == AV_CODEC_ID_ADPCM_G726)
139 codec->bits_per_coded_sample = codec->bit_rate / codec->sample_rate;
140
141 return 0;
142 }
143
144 enum AVCodecID ff_wav_codec_get_id(unsigned int tag, int bps)
145 {
146 enum AVCodecID id;
147 id = ff_codec_get_id(ff_codec_wav_tags, tag);
148 if (id <= 0)
149 return id;
150
151 if (id == AV_CODEC_ID_PCM_S16LE)
152 id = ff_get_pcm_codec_id(bps, 0, 0, ~1);
153 else if (id == AV_CODEC_ID_PCM_F32LE)
154 id = ff_get_pcm_codec_id(bps, 1, 0, 0);
155
156 if (id == AV_CODEC_ID_ADPCM_IMA_WAV && bps == 8)
157 id = AV_CODEC_ID_PCM_ZORK;
158 return id;
159 }
160
161 int ff_get_bmp_header(AVIOContext *pb, AVStream *st)
162 {
163 int tag1;
164 avio_rl32(pb); /* size */
165 st->codec->width = avio_rl32(pb);
166 st->codec->height = (int32_t)avio_rl32(pb);
167 avio_rl16(pb); /* planes */
168 st->codec->bits_per_coded_sample = avio_rl16(pb); /* depth */
169 tag1 = avio_rl32(pb);
170 avio_rl32(pb); /* ImageSize */
171 avio_rl32(pb); /* XPelsPerMeter */
172 avio_rl32(pb); /* YPelsPerMeter */
173 avio_rl32(pb); /* ClrUsed */
174 avio_rl32(pb); /* ClrImportant */
175 return tag1;
176 }
177
178 int ff_read_riff_info(AVFormatContext *s, int64_t size)
179 {
180 int64_t start, end, cur;
181 AVIOContext *pb = s->pb;
182
183 start = avio_tell(pb);
184 end = start + size;
185
186 while ((cur = avio_tell(pb)) >= 0 &&
187 cur <= end - 8 /* = tag + size */) {
188 uint32_t chunk_code;
189 int64_t chunk_size;
190 char key[5] = { 0 };
191 char *value;
192
193 chunk_code = avio_rl32(pb);
194 chunk_size = avio_rl32(pb);
195
196 if (chunk_size > end ||
197 end - chunk_size < cur ||
198 chunk_size == UINT_MAX) {
199 av_log(s, AV_LOG_WARNING, "too big INFO subchunk\n");
200 break;
201 }
202
203 chunk_size += (chunk_size & 1);
204
205 if (!chunk_code) {
206 if (chunk_size)
207 avio_skip(pb, chunk_size);
208 else if (pb->eof_reached) {
209 av_log(s, AV_LOG_WARNING, "truncated file\n");
210 return AVERROR_EOF;
211 }
212 continue;
213 }
214
215 value = av_malloc(chunk_size + 1);
216 if (!value) {
217 av_log(s, AV_LOG_ERROR,
218 "out of memory, unable to read INFO tag\n");
219 return AVERROR(ENOMEM);
220 }
221
222 AV_WL32(key, chunk_code);
223
224 if (avio_read(pb, value, chunk_size) != chunk_size) {
225 av_free(value);
226 av_log(s, AV_LOG_WARNING,
227 "premature end of file while reading INFO tag\n");
228 break;
229 }
230
231 value[chunk_size] = 0;
232
233 av_dict_set(&s->metadata, key, value, AV_DICT_DONT_STRDUP_VAL);
234 }
235
236 return 0;
237 }