diff options
author | Michael Niedermayer <michaelni@gmx.at> | 2013-10-04 22:56:02 +0200 |
---|---|---|
committer | Michael Niedermayer <michaelni@gmx.at> | 2013-10-04 23:26:40 +0200 |
commit | e1f8184a1a973fd7de1bf53578d09661ec7bad75 (patch) | |
tree | 13604a3e24190e38ba0c4b1a1f31de32fed79944 | |
parent | b611ea041de6f9ffdcca4495910878df852c4f5c (diff) | |
download | ffmpeg-e1f8184a1a973fd7de1bf53578d09661ec7bad75.tar.gz |
avformat/gifdec: make GIF_APP_EXT_LABEL parsing more robust
Fixes Ticket3021
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
-rw-r--r-- | libavformat/gifdec.c | 26 |
1 files changed, 18 insertions, 8 deletions
diff --git a/libavformat/gifdec.c b/libavformat/gifdec.c index e05dc419c7..2981bcabbe 100644 --- a/libavformat/gifdec.c +++ b/libavformat/gifdec.c @@ -164,16 +164,26 @@ static int gif_read_ext(AVFormatContext *s) if ((ret = avio_skip(pb, sb_size - 3)) < 0 ) return ret; } else if (ext_label == GIF_APP_EXT_LABEL) { - uint8_t netscape_ext[sizeof(NETSCAPE_EXT_STR)-1 + 2]; + uint8_t data[256]; - if ((sb_size = avio_r8(pb)) != strlen(NETSCAPE_EXT_STR)) - return 0; - ret = avio_read(pb, netscape_ext, sizeof(netscape_ext)); - if (ret < sizeof(netscape_ext)) + sb_size = avio_r8(pb); + ret = avio_read(pb, data, sb_size); + if (ret < 0 || !sb_size) return ret; - gdc->total_iter = avio_rl16(pb); - if (gdc->total_iter == 0) - gdc->total_iter = -1; + + if (sb_size == strlen(NETSCAPE_EXT_STR)) { + sb_size = avio_r8(pb); + ret = avio_read(pb, data, sb_size); + if (ret < 0 || !sb_size) + return ret; + + if (sb_size == 3 && data[0] == 1) { + gdc->total_iter = AV_RL16(data+1); + + if (gdc->total_iter == 0) + gdc->total_iter = -1; + } + } } if ((ret = gif_skip_subblocks(pb)) < 0) |