[FFmpeg-cvslog] asf: prevent packet_size_left from going negative if hdrlen > pktlen.

Ronald S. Bultje git at videolan.org
Mon Apr 2 01:45:08 CEST 2012


ffmpeg | branch: release/0.8 | Ronald S. Bultje <rsbultje at gmail.com> | Fri Feb 17 12:21:18 2012 -0800| [9a331217b00be566e8cc7afcd4df916b43e1756b] | committer: Reinhard Tartler

asf: prevent packet_size_left from going negative if hdrlen > pktlen.

This prevents failed assertions further down in the packet processing
where we require non-negative values for packet_size_left.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable at libav.org
(cherry picked from commit 41afac7f7a67c634c86b1d17fc930e9183d4aaa0)

Signed-off-by: Anton Khirnov <anton at khirnov.net>
Signed-off-by: Reinhard Tartler <siretart at tauware.de>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=9a331217b00be566e8cc7afcd4df916b43e1756b
---

 libavformat/asfdec.c |    7 +++++++
 1 files changed, 7 insertions(+), 0 deletions(-)

diff --git a/libavformat/asfdec.c b/libavformat/asfdec.c
index 16bba93..6038867 100644
--- a/libavformat/asfdec.c
+++ b/libavformat/asfdec.c
@@ -789,6 +789,13 @@ static int ff_asf_get_packet(AVFormatContext *s, AVIOContext *pb)
         asf->packet_segments = 1;
         asf->packet_segsizetype = 0x80;
     }
+    if (rsize > packet_length - padsize) {
+        asf->packet_size_left = 0;
+        av_log(s, AV_LOG_ERROR,
+               "invalid packet header length %d for pktlen %d-%d at %"PRId64"\n",
+               rsize, packet_length, padsize, avio_tell(pb));
+        return -1;
+    }
     asf->packet_size_left = packet_length - padsize - rsize;
     if (packet_length < asf->hdr.min_pktsize)
         padsize += asf->hdr.min_pktsize - packet_length;



More information about the ffmpeg-cvslog mailing list