diff options
| author | Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com> | 2016-01-05 13:20:11 +0100 |
|---|---|---|
| committer | Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com> | 2016-01-27 23:45:44 +0100 |
| commit | 407ab167c07c9afb4aa3518f850241fad0ac0df9 (patch) | |
| tree | 0477d890557d6d3469e39c89fe60a63f33b7a9f0 | |
| parent | d7fbd0366005b2d4abf06e97d623e078ccf3e160 (diff) | |
| download | ffmpeg-407ab167c07c9afb4aa3518f850241fad0ac0df9.tar.gz | |
asfdec_o: reject size > INT64_MAX in asf_read_unknown
Both avio_skip and detect_unknown_subobject use int64_t for the size
parameter.
This fixes a segmentation fault due to infinite recursion.
Reviewed-by: Alexandra Hájková <alexandra.khirnova@gmail.com>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit aa180169961b46cf0d2bcc23cb686f93c079b256)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
| -rw-r--r-- | libavformat/asfdec_o.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/libavformat/asfdec_o.c b/libavformat/asfdec_o.c index 322125320e..2ccfe3a592 100644 --- a/libavformat/asfdec_o.c +++ b/libavformat/asfdec_o.c @@ -178,6 +178,9 @@ static int asf_read_unknown(AVFormatContext *s, const GUIDParseTable *g) uint64_t size = avio_rl64(pb); int ret; + if (size > INT64_MAX) + return AVERROR_INVALIDDATA; + if (asf->is_header) asf->unknown_size = size; asf->is_header = 0; |