[FFmpeg-devel] [PATCH 1/2] avformat/wtvdec: ignore MPEG2VIDEO extradata when count is invalid

Peter Ross pross at xvid.org
Fri Apr 4 13:07:36 CEST 2014 

Fixes ticket #3522.

Signed-off-by: Peter Ross <pross at xvid.org>
---
 libavformat/wtvdec.c | 24 ++++++++++++++----------
 1 file changed, 14 insertions(+), 10 deletions(-)

diff --git a/libavformat/wtvdec.c b/libavformat/wtvdec.c
index 45e6b4a..bf27f29 100644
--- a/libavformat/wtvdec.c
+++ b/libavformat/wtvdec.c
@@ -635,7 +635,7 @@ static AVStream * new_stream(AVFormatContext *s, AVStream *st, int sid, int code
  */
 static AVStream * parse_media_type(AVFormatContext *s, AVStream *st, int sid,
                                    ff_asf_guid mediatype, ff_asf_guid subtype,
-                                   ff_asf_guid formattype, int size)
+                                   ff_asf_guid formattype, uint64_t size)
 {
     WtvContext *wtv = s->priv_data;
     AVIOContext *pb = wtv->pb;
@@ -693,16 +693,20 @@ static AVStream * parse_media_type(AVFormatContext *s, AVStream *st, int sid,
             int consumed = parse_videoinfoheader2(s, st);
             avio_skip(pb, FFMAX(size - consumed, 0));
         } else if (!ff_guidcmp(formattype, ff_format_mpeg2_video)) {
-            int consumed = parse_videoinfoheader2(s, st);
-            int count;
-            avio_skip(pb, 4);
-            count = avio_rl32(pb);
-            avio_skip(pb, 12);
-            if (count && ff_get_extradata(st->codec, pb, count) < 0) {
-               ff_free_stream(s, st);
-               return NULL;
+            uint64_t consumed = parse_videoinfoheader2(s, st);
+            if (size - consumed >= 20) {
+                uint32_t count;
+                consumed += 20;
+                avio_skip(pb, 4);
+                count = avio_rl32(pb);
+                count = FFMIN(count, size - consumed);
+                avio_skip(pb, 12);
+                if (count && ff_get_extradata(st->codec, pb, count) < 0) {
+                   ff_free_stream(s, st);
+                   return NULL;
+                }
+                consumed += count;
             }
-            consumed += 20 + count;
             avio_skip(pb, FFMAX(size - consumed, 0));
         } else {
             if (ff_guidcmp(formattype, ff_format_none))
-- 
1.8.3.2

-- Peter
(A907 E02F A6E5 0CD2 34CD 20D2 6760 79C5 AC40 DD6B)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20140404/52b846dc/attachment.asc>

More information about the ffmpeg-devel mailing list