Overall it looks good. I thought it might overflow the buffer but with
AVPROBE_PADDING_SIZE it doesn't.
On Tue, Jan 12, 2016 at 7:09 AM, Carl Eugen Hoyos <ceho...@ag.or.at> wrote:
> diff --git a/libavformat/icodec.c b/libavformat/icodec.c
> index 22e2099..9cf3dca 100644
> --- a/libavformat/icodec.c
> +++ b/libavformat/icodec.c
> @@ -27,6 +27,7 @@
> #include "libavutil/intreadwrite.h"
> #include "libavcodec/bytestream.h"
> #include "libavcodec/bmp.h"
> +#include "libavcodec/png.h"
> #include "avformat.h"
> #include "internal.h"
>
> @@ -44,9 +45,30 @@ typedef struct {
>
> static int probe(AVProbeData *p)
> {
> - if (AV_RL16(p->buf) == 0 && AV_RL16(p->buf + 2) == 1 && AV_RL16(p->buf +
> 4))
> - return AVPROBE_SCORE_MAX / 4;
> - return 0;
> + unsigned i, frames = AV_RL16(p->buf + 4);
> +
> + if (AV_RL16(p->buf) || AV_RL16(p->buf + 2) != 1 || !frames)
> + return 0;
> + for (i = 0; i < frames; i++) {
> + unsigned offset;
> + if (AV_RL16(p->buf + 10 + i * 16) & ~1) // color planes
> + return FFMIN(i, AVPROBE_SCORE_MAX / 4);
> + if (p->buf[13 + i * 16])
> + return FFMIN(i, AVPROBE_SCORE_MAX / 4);
> + if (AV_RL32(p->buf + 14 + i * 16) < 40) // size
> + return FFMIN(i, AVPROBE_SCORE_MAX / 4);
> + offset = AV_RL32(p->buf + 18 + i * 16);
> + if (offset < 22)
> + return FFMIN(i, AVPROBE_SCORE_MAX / 4);
> + if (offset + 8 > p->buf_size)
> + return AVPROBE_SCORE_MAX / 4 + FFMIN(i, 1);
> + if (p->buf[offset] != 40 && AV_RB64(p->buf + offset) != PNGSIG)
> + return FFMIN(i, AVPROBE_SCORE_MAX / 4);
> + if (i * 16 + 6 > p->buf_size)
> + return AVPROBE_SCORE_MAX / 4;
> + }
> +
> + return AVPROBE_SCORE_MAX / 4 + 1;
A score of 26 seems low to me, but maybe that's just me.
> }
>
> static int read_header(AVFormatContext *s)
I checked all the various header bytes this would be checking and it
all looks good.
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-devel
