asf: prevent packet_size_left from going negative if hdrlen > pktlen.

This prevents failed assertions further down in the packet processing where we require non-negative values for packet_size_left. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 41afac7f7a67c634c86b1d17fc930e9183d4aaa0) Signed-off-by: Anton Khirnov <anton@khirnov.net>
author: Ronald S. Bultje <rsbultje@gmail.com> 2012-02-17 12:21:18 -0800
committer: Reinhard Tartler <siretart@tauware.de> 2012-02-26 10:03:16 +0100
commit: f947e965beb858b67ab6e49f9e24e8d12d9b5a7d (patch)
tree: ddf891348f9c9d173d9fb17c061040a1be72f350
parent: 5c365dc9792a6a91637498e2ee1fdcb90c9c7640 (diff)
download: ffmpeg-f947e965beb858b67ab6e49f9e24e8d12d9b5a7d.tar.gz
1 files changed, 7 insertions, 0 deletions
diff --git a/libavformat/asfdec.c b/libavformat/asfdec.c
index 91d285e8b5..eb93f14ecf 100644
--- a/libavformat/asfdec.c
+++ b/libavformat/asfdec.c
@@ -789,6 +789,13 @@ static int ff_asf_get_packet(AVFormatContext *s, AVIOContext *pb)
         asf->packet_segments = 1;
         asf->packet_segsizetype = 0x80;
     }
+    if (rsize > packet_length - padsize) {
+        asf->packet_size_left = 0;
+        av_log(s, AV_LOG_ERROR,
+               "invalid packet header length %d for pktlen %d-%d at %"PRId64"\n",
+               rsize, packet_length, padsize, avio_tell(pb));
+        return -1;
+    }
     asf->packet_size_left = packet_length - padsize - rsize;
     if (packet_length < asf->hdr.min_pktsize)
         padsize += asf->hdr.min_pktsize - packet_length;
author	Ronald S. Bultje <rsbultje@gmail.com>	2012-02-17 12:21:18 -0800
committer	Reinhard Tartler <siretart@tauware.de>	2012-02-26 10:03:16 +0100
commit	f947e965beb858b67ab6e49f9e24e8d12d9b5a7d (patch)
tree	ddf891348f9c9d173d9fb17c061040a1be72f350
parent	5c365dc9792a6a91637498e2ee1fdcb90c9c7640 (diff)
download	ffmpeg-f947e965beb858b67ab6e49f9e24e8d12d9b5a7d.tar.gz