diff options
author | Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com> | 2015-05-20 00:34:42 +0200 |
---|---|---|
committer | Michael Niedermayer <michaelni@gmx.at> | 2015-06-01 23:25:19 +0200 |
commit | 9f99f29f23778efe04c4abdeb3f593162f0d3a0a (patch) | |
tree | 5300be3e3ebf69e09ce69a2c77f087ba6d514f76 | |
parent | b947ff898596558c64e4b72657860ed2b57f58fd (diff) | |
download | ffmpeg-9f99f29f23778efe04c4abdeb3f593162f0d3a0a.tar.gz |
nutdec: abort if EOF is reached in decode_info_header/read_sm_data
These loops can take a lot of time if count is very large.
Reviewed-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit bb23a15df507440deb0dcf25099d321d0f73dc28)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
-rw-r--r-- | libavformat/nutdec.c | 16 |
1 files changed, 12 insertions, 4 deletions
diff --git a/libavformat/nutdec.c b/libavformat/nutdec.c index 59d88db6d0..d56c4a5287 100644 --- a/libavformat/nutdec.c +++ b/libavformat/nutdec.c @@ -492,7 +492,7 @@ static int decode_info_header(NUTContext *nut) AVIOContext *bc = s->pb; uint64_t tmp, chapter_start, chapter_len; unsigned int stream_id_plus1, count; - int chapter_id, i; + int chapter_id, i, ret; int64_t value, end; char name[256], str_value[1024], type_str[256]; const char *type; @@ -534,7 +534,11 @@ static int decode_info_header(NUTContext *nut) } for (i = 0; i < count; i++) { - get_str(bc, name, sizeof(name)); + ret = get_str(bc, name, sizeof(name)); + if (ret < 0) { + av_log(s, AV_LOG_ERROR, "get_str failed while decoding info header\n"); + return ret; + } value = get_s(bc); if (value == -1) { type = "UTF-8"; @@ -855,14 +859,18 @@ static int read_sm_data(AVFormatContext *s, AVIOContext *bc, AVPacket *pkt, int int sample_rate = 0; int width = 0; int height = 0; - int i; + int i, ret; for (i=0; i<count; i++) { uint8_t name[256], str_value[256], type_str[256]; int value; if (avio_tell(bc) >= maxpos) return AVERROR_INVALIDDATA; - get_str(bc, name, sizeof(name)); + ret = get_str(bc, name, sizeof(name)); + if (ret < 0) { + av_log(s, AV_LOG_ERROR, "get_str failed while reading sm data\n"); + return ret; + } value = get_s(bc); if (value == -1) { |