diff options
author | Michael Niedermayer <michaelni@gmx.at> | 2006-09-27 21:19:47 +0000 |
---|---|---|
committer | Michael Niedermayer <michaelni@gmx.at> | 2006-09-27 21:19:47 +0000 |
commit | 5b11e0817185aae44fdeda4c6c0cf030c508a479 (patch) | |
tree | d7e6a55d5aefb413d6ef08744223bb6834a4d849 | |
parent | 854fdb51e61c3e4ee83d01e610fc924698eabf58 (diff) | |
download | ffmpeg-5b11e0817185aae44fdeda4c6c0cf030c508a479.tar.gz |
prevent infinite loop with VORC012.WMA
Originally committed as revision 6361 to svn://svn.ffmpeg.org/ffmpeg/trunk
-rw-r--r-- | libavformat/asf.c | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/libavformat/asf.c b/libavformat/asf.c index 7759927f61..15f7dd3f62 100644 --- a/libavformat/asf.c +++ b/libavformat/asf.c @@ -521,6 +521,16 @@ static int asf_get_packet(AVFormatContext *s) DO_2BITS(asf->packet_flags >> 1, padsize, 0); // sequence ignored DO_2BITS(asf->packet_flags >> 3, padsize, 0); // padding length + //the following checks prevent overflows and infinite loops + if(packet_length >= (1U<<29)){ + av_log(s, AV_LOG_ERROR, "invalid packet_length %d at:%"PRId64"\n", packet_length, url_ftell(pb)); + return 0; // FIXME this should be -1 + } + if(padsize >= (1U<<29)){ + av_log(s, AV_LOG_ERROR, "invalid padsize %d at:%"PRId64"\n", padsize, url_ftell(pb)); + return 0; // FIXME this should be -1 + } + asf->packet_timestamp = get_le32(pb); get_le16(pb); /* duration */ // rsize has at least 11 bytes which have to be present @@ -557,6 +567,7 @@ static int asf_read_packet(AVFormatContext *s, AVPacket *pkt) //printf("PacketLeftSize:%d Pad:%d Pos:%Ld\n", asf->packet_size_left, asf->packet_padsize, url_ftell(pb)); if((url_ftell(&s->pb) + ret - s->data_offset) % asf->packet_size) ret += asf->packet_size - ((url_ftell(&s->pb) + ret - s->data_offset) % asf->packet_size); + assert(ret>=0); /* fail safe */ url_fskip(pb, ret); asf->packet_pos= url_ftell(&s->pb); |