diff options
| author | Uoti Urpala <uau@glyph.nonexistent.invalid> | 2011-04-24 07:21:30 +0300 |
|---|---|---|
| committer | Michael Niedermayer <michaelni@gmx.at> | 2011-05-12 16:09:39 +0200 |
| commit | bcedf2e519c60e8ffa05838c65a88934f1ead3bf (patch) | |
| tree | 5704a83b20b1a76365db11ab6841b20ab6b37ee9 | |
| parent | 10291562f37d00fb3fb78ec86e0353e474c0eccc (diff) | |
| download | ffmpeg-bcedf2e519c60e8ffa05838c65a88934f1ead3bf.tar.gz | |
asfdec: fix assert failure on invalid files
Add an extra size validity check in asf_read_frame_header(). Without
this asf->packet_size_left may become negative, which triggers an
assertion failure later.
| -rw-r--r-- | libavformat/asfdec.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/libavformat/asfdec.c b/libavformat/asfdec.c index 0641688d3d..a21af775de 100644 --- a/libavformat/asfdec.c +++ b/libavformat/asfdec.c @@ -842,6 +842,10 @@ static int asf_read_frame_header(AVFormatContext *s, AVIOContext *pb){ av_log(s, AV_LOG_ERROR, "unexpected packet_replic_size of %d\n", asf->packet_replic_size); return -1; } + if (rsize > asf->packet_size_left) { + av_log(s, AV_LOG_ERROR, "packet_replic_size is invalid\n"); + return -1; + } if (asf->packet_flags & 0x01) { DO_2BITS(asf->packet_segsizetype >> 6, asf->packet_frag_size, 0); // 0 is illegal if(asf->packet_frag_size > asf->packet_size_left - rsize){ |