asfdec_o: check for too small size in asf_read_unknown

This fixes infinite loops due to seeking back. Reviewed-by: Alexandra Hájková <alexandra.khirnova@gmail.com> Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com> (cherry picked from commit c29e87ad55a2be29cc8ac5c0e047512c1f5d34d4) Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
author: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com> 2016-01-06 19:21:49 +0100
committer: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com> 2016-01-27 23:45:45 +0100
commit: d640bc75459d7e7ad7636ecc9a8f3cfd51fc6eb2 (patch)
tree: f01f504f014a894ed3ec4a9be020114ca0963994
parent: 93559adfbfd42c8fb05cd5dc2c7cde866d3dbe87 (diff)
download: ffmpeg-d640bc75459d7e7ad7636ecc9a8f3cfd51fc6eb2.tar.gz
1 files changed, 6 insertions, 1 deletions
diff --git a/libavformat/asfdec_o.c b/libavformat/asfdec_o.c
index f8e5e1ec71..d8c4869cc1 100644
--- a/libavformat/asfdec_o.c
+++ b/libavformat/asfdec_o.c
@@ -190,8 +190,13 @@ static int asf_read_unknown(AVFormatContext *s, const GUIDParseTable *g)
         if ((ret = detect_unknown_subobject(s, asf->unknown_offset,
                                             asf->unknown_size)) < 0)
             return ret;
-    } else
+    } else {
+        if (size < 24) {
+            av_log(s, AV_LOG_ERROR, "Too small size %"PRIu64" (< 24).\n", size);
+            return AVERROR_INVALIDDATA;
+        }
         avio_skip(pb, size - 24);
+    }
 
     return 0;
 }
author	Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>	2016-01-06 19:21:49 +0100
committer	Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>	2016-01-27 23:45:45 +0100
commit	d640bc75459d7e7ad7636ecc9a8f3cfd51fc6eb2 (patch)
tree	f01f504f014a894ed3ec4a9be020114ca0963994
parent	93559adfbfd42c8fb05cd5dc2c7cde866d3dbe87 (diff)
download	ffmpeg-d640bc75459d7e7ad7636ecc9a8f3cfd51fc6eb2.tar.gz