[FFmpeg-cvslog] asfdec: add more checks for size left in asf packet buffer
Alexandra Hájková
git at videolan.org
Mon Oct 12 22:49:07 CEST 2015
ffmpeg | branch: release/2.8 | Alexandra Hájková <alexandra.khirnova at gmail.com> | Mon Sep 7 12:18:17 2015 +0200| [8118fdf8bb92dbd91929e734cd136e3e2e41fdcb] | committer: Andreas Cadhalpun
asfdec: add more checks for size left in asf packet buffer
Signed-off-by: Luca Barbato <lu_zero at gentoo.org>
(cherry picked from commit c0a49077ea4ff3a0ad30b9e33f1bb06ba9112aaa)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun at googlemail.com>
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=8118fdf8bb92dbd91929e734cd136e3e2e41fdcb
---
libavformat/asfdec_o.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/libavformat/asfdec_o.c b/libavformat/asfdec_o.c
index db559f6..cf2a01e 100644
--- a/libavformat/asfdec_o.c
+++ b/libavformat/asfdec_o.c
@@ -1141,7 +1141,7 @@ static int asf_read_replicated_data(AVFormatContext *s, ASFPacket *asf_pkt)
if (!asf_pkt->data_size) {
asf_pkt->data_size = asf_pkt->size_left = avio_rl32(pb); // read media object size
if (asf_pkt->data_size <= 0)
- return AVERROR_EOF;
+ return AVERROR_INVALIDDATA;
if ((ret = av_new_packet(&asf_pkt->avpkt, asf_pkt->data_size)) < 0)
return ret;
} else
@@ -1190,6 +1190,8 @@ static int asf_read_multiple_payload(AVFormatContext *s, AVPacket *pkt,
skip = pay_len - asf_pkt->size_left;
pay_len = asf_pkt->size_left;
}
+ if (asf_pkt->size_left <= 0)
+ return AVERROR_INVALIDDATA;
if ((ret = avio_read(pb, p, pay_len)) < 0)
return ret;
if (s->key && s->keylen == 20)
@@ -1237,7 +1239,7 @@ static int asf_read_single_payload(AVFormatContext *s, AVPacket *pkt,
return AVERROR_INVALIDDATA;
}
p = asf_pkt->avpkt.data + asf_pkt->data_size - asf_pkt->size_left;
- if (size > asf_pkt->size_left)
+ if (size > asf_pkt->size_left || asf_pkt->size_left <= 0)
return AVERROR_INVALIDDATA;
if (asf_pkt->size_left > size)
asf_pkt->size_left -= size;
More information about the ffmpeg-cvslog
mailing list