[FFmpeg-devel] [PATCH 2/2] asfdec_o: reject size > INT64_MAX in asf_read_unknown

Andreas Cadhalpun andreas.cadhalpun at googlemail.com
Fri Jan 15 01:02:11 CET 2016


On 05.01.2016 13:26, Andreas Cadhalpun wrote:
> Both avio_skip and detect_unknown_subobject use int64_t for the size
> parameter.
> 
> This fixes a segmentation fault due to infinite recursion.
> 
> Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun at googlemail.com>
> ---
>  libavformat/asfdec_o.c | 3 +++
>  1 file changed, 3 insertions(+)
> 
> diff --git a/libavformat/asfdec_o.c b/libavformat/asfdec_o.c
> index 79b9ee4..02809bb 100644
> --- a/libavformat/asfdec_o.c
> +++ b/libavformat/asfdec_o.c
> @@ -178,6 +178,9 @@ static int asf_read_unknown(AVFormatContext *s, const GUIDParseTable *g)
>      uint64_t size   = avio_rl64(pb);
>      int ret;
>  
> +    if (size > INT64_MAX)
> +        return AVERROR_INVALIDDATA;
> +
>      if (asf->is_header)
>          asf->unknown_size = size;
>      asf->is_header = 0;
> 

Pushed now, as Alexandra (the author over at Libav) seems fine with it.

Best regards,
Andreas



More information about the ffmpeg-devel mailing list