diff options
author | Uoti Urpala <uoti.urpala@pp1.inet.fi> | 2011-05-12 10:20:27 -0400 |
---|---|---|
committer | Reinhard Tartler <siretart@tauware.de> | 2011-05-17 22:06:00 +0200 |
commit | 29fa570d0c74c59a4a970f5ade9fbd126314cbd9 (patch) | |
tree | 12a017b774375493aa0a27f8a3b092f5e530a7a5 /libavformat/asfdec.c | |
parent | 69fa23961ededd725c68b188493cf2653d70f4fd (diff) | |
download | ffmpeg-29fa570d0c74c59a4a970f5ade9fbd126314cbd9.tar.gz |
asfdec: fix possible overread on broken files.
Diffstat (limited to 'libavformat/asfdec.c')
-rw-r--r-- | libavformat/asfdec.c | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/libavformat/asfdec.c b/libavformat/asfdec.c index e9a3995705..ed02d40fb9 100644 --- a/libavformat/asfdec.c +++ b/libavformat/asfdec.c @@ -852,7 +852,10 @@ static int asf_read_frame_header(AVFormatContext *s, AVIOContext *pb){ } if (asf->packet_flags & 0x01) { DO_2BITS(asf->packet_segsizetype >> 6, asf->packet_frag_size, 0); // 0 is illegal - if(asf->packet_frag_size > asf->packet_size_left - rsize){ + if (rsize > asf->packet_size_left) { + av_log(s, AV_LOG_ERROR, "packet_replic_size is invalid\n"); + return -1; + } else if(asf->packet_frag_size > asf->packet_size_left - rsize){ if (asf->packet_frag_size > asf->packet_size_left - rsize + asf->packet_padsize) { av_log(s, AV_LOG_ERROR, "packet_frag_size is invalid (%d-%d)\n", asf->packet_size_left, rsize); return -1; |