asf: prevent packet_size_left from going negative if hdrlen > pktlen.

This prevents failed assertions further down in the packet processing where we require non-negative values for packet_size_left. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 41afac7f7a67c634c86b1d17fc930e9183d4aaa0) Signed-off-by: Anton Khirnov <anton@khirnov.net> Signed-off-by: Reinhard Tartler <siretart@tauware.de>
author: Ronald S. Bultje <rsbultje@gmail.com> 2012-02-17 12:21:18 -0800
committer: Reinhard Tartler <siretart@tauware.de> 2012-04-01 18:33:26 +0200
commit: 9a331217b00be566e8cc7afcd4df916b43e1756b (patch)
tree: 6a59654018ee7d63d7f7026dd99901d0944cd142
parent: 2380a3d37f0b94436db53aa56491cbc9203bc8fe (diff)
download: ffmpeg-9a331217b00be566e8cc7afcd4df916b43e1756b.tar.gz
1 files changed, 7 insertions, 0 deletions
diff --git a/libavformat/asfdec.c b/libavformat/asfdec.c
index 16bba93c37..603886754d 100644
--- a/libavformat/asfdec.c
+++ b/libavformat/asfdec.c
@@ -789,6 +789,13 @@ static int ff_asf_get_packet(AVFormatContext *s, AVIOContext *pb)
         asf->packet_segments = 1;
         asf->packet_segsizetype = 0x80;
     }
+    if (rsize > packet_length - padsize) {
+        asf->packet_size_left = 0;
+        av_log(s, AV_LOG_ERROR,
+               "invalid packet header length %d for pktlen %d-%d at %"PRId64"\n",
+               rsize, packet_length, padsize, avio_tell(pb));
+        return -1;
+    }
     asf->packet_size_left = packet_length - padsize - rsize;
     if (packet_length < asf->hdr.min_pktsize)
         padsize += asf->hdr.min_pktsize - packet_length;
author	Ronald S. Bultje <rsbultje@gmail.com>	2012-02-17 12:21:18 -0800
committer	Reinhard Tartler <siretart@tauware.de>	2012-04-01 18:33:26 +0200
commit	9a331217b00be566e8cc7afcd4df916b43e1756b (patch)
tree	6a59654018ee7d63d7f7026dd99901d0944cd142
parent	2380a3d37f0b94436db53aa56491cbc9203bc8fe (diff)
download	ffmpeg-9a331217b00be566e8cc7afcd4df916b43e1756b.tar.gz