aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorReimar Döffinger <Reimar.Doeffinger@gmx.de>2009-07-03 11:26:14 +0000
committerReimar Döffinger <Reimar.Doeffinger@gmx.de>2009-07-03 11:26:14 +0000
commit5a4a4d78396d4195e14fbc4ba6bb3f996edecdf6 (patch)
tree2c894a35aabeca25f56468b084623fea0441de06
parentb098b3090573172cbf1e2e798a66804fbcf2674d (diff)
downloadffmpeg-5a4a4d78396d4195e14fbc4ba6bb3f996edecdf6.tar.gz
Check size of "strf" header against size of enclosing "LIST" if there is one.
Originally committed as revision 19332 to svn://svn.ffmpeg.org/ffmpeg/trunk
-rw-r--r--libavformat/avidec.c5
1 files changed, 5 insertions, 0 deletions
diff --git a/libavformat/avidec.c b/libavformat/avidec.c
index b3c4177d01..5b7c8bb059 100644
--- a/libavformat/avidec.c
+++ b/libavformat/avidec.c
@@ -252,6 +252,7 @@ static int avi_read_header(AVFormatContext *s, AVFormatParameters *ap)
AVIStream *ast = NULL;
int avih_width=0, avih_height=0;
int amv_file_format=0;
+ uint64_t list_end = 0;
avi->stream_index= -1;
@@ -277,6 +278,7 @@ static int avi_read_header(AVFormatContext *s, AVFormatParameters *ap)
switch(tag) {
case MKTAG('L', 'I', 'S', 'T'):
+ list_end = url_ftell(pb) + size;
/* Ignored, except at start of video packets. */
tag1 = get_le32(pb);
#ifdef DEBUG
@@ -445,6 +447,9 @@ static int avi_read_header(AVFormatContext *s, AVFormatParameters *ap)
if (stream_index >= (unsigned)s->nb_streams || avi->dv_demux) {
url_fskip(pb, size);
} else {
+ uint64_t cur_pos = url_ftell(pb);
+ if (cur_pos < list_end)
+ size = FFMIN(size, list_end - cur_pos);
st = s->streams[stream_index];
switch(codec_type) {
case CODEC_TYPE_VIDEO: