[Ffmpeg-cvslog] r7650 - in trunk/libavformat: asf.c asf.h
michael
subversion
Mon Jan 22 17:37:46 CET 2007
Author: michael
Date: Mon Jan 22 17:37:45 2007
New Revision: 7650
Modified:
trunk/libavformat/asf.c
trunk/libavformat/asf.h
Log:
check fragment offset and size
yes this too could have been exploitable ...
Modified: trunk/libavformat/asf.c
==============================================================================
--- trunk/libavformat/asf.c (original)
+++ trunk/libavformat/asf.c Mon Jan 22 17:37:45 2007
@@ -703,6 +703,14 @@
asf->packet_size_left -= asf->packet_frag_size;
if (asf->packet_size_left < 0)
continue;
+
+ if( asf->packet_frag_offset >= asf_st->pkt.size
+ || asf->packet_frag_size > asf_st->pkt.size - asf->packet_frag_offset){
+ av_log(s, AV_LOG_ERROR, "packet fragment position invalid %u,%u not in %u\n",
+ asf->packet_frag_offset, asf->packet_frag_size, asf_st->pkt.size);
+ continue;
+ }
+
get_buffer(pb, asf_st->pkt.data + asf->packet_frag_offset,
asf->packet_frag_size);
asf_st->frag_offset += asf->packet_frag_size;
Modified: trunk/libavformat/asf.h
==============================================================================
--- trunk/libavformat/asf.h (original)
+++ trunk/libavformat/asf.h Mon Jan 22 17:37:45 2007
@@ -106,8 +106,8 @@
int packet_replic_size;
int packet_key_frame;
int packet_padsize;
- int packet_frag_offset;
- int packet_frag_size;
+ unsigned int packet_frag_offset;
+ unsigned int packet_frag_size;
int packet_frag_timestamp;
int packet_multi_size;
int packet_obj_size;
More information about the ffmpeg-cvslog
mailing list