[Ffmpeg-cvslog] r7650 - in trunk/libavformat: asf.c asf.h

michael subversion
Mon Jan 22 17:37:46 CET 2007


Author: michael
Date: Mon Jan 22 17:37:45 2007
New Revision: 7650

Modified:
   trunk/libavformat/asf.c
   trunk/libavformat/asf.h

Log:
check fragment offset and size
yes this too could have been exploitable ...


Modified: trunk/libavformat/asf.c
==============================================================================
--- trunk/libavformat/asf.c	(original)
+++ trunk/libavformat/asf.c	Mon Jan 22 17:37:45 2007
@@ -703,6 +703,14 @@
         asf->packet_size_left -= asf->packet_frag_size;
         if (asf->packet_size_left < 0)
             continue;
+
+        if(   asf->packet_frag_offset >= asf_st->pkt.size
+           || asf->packet_frag_size > asf_st->pkt.size - asf->packet_frag_offset){
+            av_log(s, AV_LOG_ERROR, "packet fragment position invalid %u,%u not in %u\n",
+                asf->packet_frag_offset, asf->packet_frag_size, asf_st->pkt.size);
+            continue;
+        }
+
         get_buffer(pb, asf_st->pkt.data + asf->packet_frag_offset,
                    asf->packet_frag_size);
         asf_st->frag_offset += asf->packet_frag_size;

Modified: trunk/libavformat/asf.h
==============================================================================
--- trunk/libavformat/asf.h	(original)
+++ trunk/libavformat/asf.h	Mon Jan 22 17:37:45 2007
@@ -106,8 +106,8 @@
     int packet_replic_size;
     int packet_key_frame;
     int packet_padsize;
-    int packet_frag_offset;
-    int packet_frag_size;
+    unsigned int packet_frag_offset;
+    unsigned int packet_frag_size;
     int packet_frag_timestamp;
     int packet_multi_size;
     int packet_obj_size;




More information about the ffmpeg-cvslog mailing list