aboutsummaryrefslogtreecommitdiffstats
path: root/libavformat/asfdec.c
diff options
context:
space:
mode:
authorUoti Urpala <uoti.urpala@pp1.inet.fi>2011-05-12 10:20:27 -0400
committerReinhard Tartler <siretart@tauware.de>2011-05-17 22:06:00 +0200
commit29fa570d0c74c59a4a970f5ade9fbd126314cbd9 (patch)
tree12a017b774375493aa0a27f8a3b092f5e530a7a5 /libavformat/asfdec.c
parent69fa23961ededd725c68b188493cf2653d70f4fd (diff)
downloadffmpeg-29fa570d0c74c59a4a970f5ade9fbd126314cbd9.tar.gz
asfdec: fix possible overread on broken files.
Diffstat (limited to 'libavformat/asfdec.c')
-rw-r--r--libavformat/asfdec.c5
1 files changed, 4 insertions, 1 deletions
diff --git a/libavformat/asfdec.c b/libavformat/asfdec.c
index e9a3995705..ed02d40fb9 100644
--- a/libavformat/asfdec.c
+++ b/libavformat/asfdec.c
@@ -852,7 +852,10 @@ static int asf_read_frame_header(AVFormatContext *s, AVIOContext *pb){
}
if (asf->packet_flags & 0x01) {
DO_2BITS(asf->packet_segsizetype >> 6, asf->packet_frag_size, 0); // 0 is illegal
- if(asf->packet_frag_size > asf->packet_size_left - rsize){
+ if (rsize > asf->packet_size_left) {
+ av_log(s, AV_LOG_ERROR, "packet_replic_size is invalid\n");
+ return -1;
+ } else if(asf->packet_frag_size > asf->packet_size_left - rsize){
if (asf->packet_frag_size > asf->packet_size_left - rsize + asf->packet_padsize) {
av_log(s, AV_LOG_ERROR, "packet_frag_size is invalid (%d-%d)\n", asf->packet_size_left, rsize);
return -1;