diff options
| author | Andreas Cadhalpun <[email protected]> | 2016-01-06 07:34:42 +0100 |
|---|---|---|
| committer | Anton Khirnov <[email protected]> | 2016-01-07 08:20:21 +0100 |
| commit | c69461d73797e02e7a3ab4316050c241fa91f53f (patch) | |
| tree | 8695fa02530cf856fb015489ca3542ef1ed47e32 | |
| parent | d1cd20e4e33f8139e150034b3c457302312d81bd (diff) | |
asfdec: only set asf_pkt->data_size after sanity checks
Otherwise invalid values are used unchecked in the next run.
This can cause NULL pointer dereferencing.
Signed-off-by: Andreas Cadhalpun <[email protected]>
Signed-off-by: Alexandra Hájková <[email protected]>
Signed-off-by: Anton Khirnov <[email protected]>
| -rw-r--r-- | libavformat/asfdec.c | 18 |
1 files changed, 10 insertions, 8 deletions
diff --git a/libavformat/asfdec.c b/libavformat/asfdec.c index ca7712fcac..58480dc36a 100644 --- a/libavformat/asfdec.c +++ b/libavformat/asfdec.c @@ -1136,14 +1136,15 @@ static int asf_read_replicated_data(AVFormatContext *s, ASFPacket *asf_pkt) { ASFContext *asf = s->priv_data; AVIOContext *pb = s->pb; - int ret; + int ret, data_size; if (!asf_pkt->data_size) { - asf_pkt->data_size = asf_pkt->size_left = avio_rl32(pb); // read media object size - if (asf_pkt->data_size <= 0) + data_size = avio_rl32(pb); // read media object size + if (data_size <= 0) return AVERROR_INVALIDDATA; - if ((ret = av_new_packet(&asf_pkt->avpkt, asf_pkt->data_size)) < 0) + if ((ret = av_new_packet(&asf_pkt->avpkt, data_size)) < 0) return ret; + asf_pkt->data_size = asf_pkt->size_left = data_size; } else avio_skip(pb, 4); // reading of media object size is already done asf_pkt->dts = avio_rl32(pb); // read presentation time @@ -1212,14 +1213,15 @@ static int asf_read_single_payload(AVFormatContext *s, AVPacket *pkt, int64_t offset; uint64_t size; unsigned char *p; - int ret; + int ret, data_size; if (!asf_pkt->data_size) { - asf_pkt->data_size = asf_pkt->size_left = avio_rl32(pb); // read media object size - if (asf_pkt->data_size <= 0) + data_size = avio_rl32(pb); // read media objectgg size + if (data_size <= 0) return AVERROR_EOF; - if ((ret = av_new_packet(&asf_pkt->avpkt, asf_pkt->data_size)) < 0) + if ((ret = av_new_packet(&asf_pkt->avpkt, data_size)) < 0) return ret; + asf_pkt->data_size = asf_pkt->size_left = data_size; } else avio_skip(pb, 4); // skip media object size asf_pkt->dts = avio_rl32(pb); // read presentation time |