aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAndreas Cadhalpun <andreas.cadhalpun@googlemail.com>2016-01-06 07:34:42 +0100
committerAnton Khirnov <anton@khirnov.net>2016-01-07 08:20:21 +0100
commitc69461d73797e02e7a3ab4316050c241fa91f53f (patch)
tree8695fa02530cf856fb015489ca3542ef1ed47e32
parentd1cd20e4e33f8139e150034b3c457302312d81bd (diff)
downloadffmpeg-c69461d73797e02e7a3ab4316050c241fa91f53f.tar.gz
asfdec: only set asf_pkt->data_size after sanity checks
Otherwise invalid values are used unchecked in the next run. This can cause NULL pointer dereferencing. Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com> Signed-off-by: Alexandra Hájková <alexandra.khirnova@gmail.com> Signed-off-by: Anton Khirnov <anton@khirnov.net>
-rw-r--r--libavformat/asfdec.c18
1 files changed, 10 insertions, 8 deletions
diff --git a/libavformat/asfdec.c b/libavformat/asfdec.c
index ca7712fcac..58480dc36a 100644
--- a/libavformat/asfdec.c
+++ b/libavformat/asfdec.c
@@ -1136,14 +1136,15 @@ static int asf_read_replicated_data(AVFormatContext *s, ASFPacket *asf_pkt)
{
ASFContext *asf = s->priv_data;
AVIOContext *pb = s->pb;
- int ret;
+ int ret, data_size;
if (!asf_pkt->data_size) {
- asf_pkt->data_size = asf_pkt->size_left = avio_rl32(pb); // read media object size
- if (asf_pkt->data_size <= 0)
+ data_size = avio_rl32(pb); // read media object size
+ if (data_size <= 0)
return AVERROR_INVALIDDATA;
- if ((ret = av_new_packet(&asf_pkt->avpkt, asf_pkt->data_size)) < 0)
+ if ((ret = av_new_packet(&asf_pkt->avpkt, data_size)) < 0)
return ret;
+ asf_pkt->data_size = asf_pkt->size_left = data_size;
} else
avio_skip(pb, 4); // reading of media object size is already done
asf_pkt->dts = avio_rl32(pb); // read presentation time
@@ -1212,14 +1213,15 @@ static int asf_read_single_payload(AVFormatContext *s, AVPacket *pkt,
int64_t offset;
uint64_t size;
unsigned char *p;
- int ret;
+ int ret, data_size;
if (!asf_pkt->data_size) {
- asf_pkt->data_size = asf_pkt->size_left = avio_rl32(pb); // read media object size
- if (asf_pkt->data_size <= 0)
+ data_size = avio_rl32(pb); // read media objectgg size
+ if (data_size <= 0)
return AVERROR_EOF;
- if ((ret = av_new_packet(&asf_pkt->avpkt, asf_pkt->data_size)) < 0)
+ if ((ret = av_new_packet(&asf_pkt->avpkt, data_size)) < 0)
return ret;
+ asf_pkt->data_size = asf_pkt->size_left = data_size;
} else
avio_skip(pb, 4); // skip media object size
asf_pkt->dts = avio_rl32(pb); // read presentation time