aboutsummaryrefslogtreecommitdiffstats
path: root/libavformat/wtvdec.c
diff options
context:
space:
mode:
authorPeter Ross <pross@xvid.org>2014-04-04 22:07:36 +1100
committerMichael Niedermayer <michaelni@gmx.at>2014-04-04 17:11:47 +0200
commit8348bd198ff8ef2ad366ac7ad959193ef845d468 (patch)
treedce316fb22f5fa45815b172dd2c46e62402f1850 /libavformat/wtvdec.c
parent0f629823355680802320ee7be52af7f4e1b3e0b3 (diff)
downloadffmpeg-8348bd198ff8ef2ad366ac7ad959193ef845d468.tar.gz
avformat/wtvdec: ignore MPEG2VIDEO extradata when count is invalid
Fixes ticket #3522. Signed-off-by: Peter Ross <pross@xvid.org> Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Diffstat (limited to 'libavformat/wtvdec.c')
-rw-r--r--libavformat/wtvdec.c24
1 files changed, 14 insertions, 10 deletions
diff --git a/libavformat/wtvdec.c b/libavformat/wtvdec.c
index 45e6b4ae8f..bf27f291e7 100644
--- a/libavformat/wtvdec.c
+++ b/libavformat/wtvdec.c
@@ -635,7 +635,7 @@ static AVStream * new_stream(AVFormatContext *s, AVStream *st, int sid, int code
*/
static AVStream * parse_media_type(AVFormatContext *s, AVStream *st, int sid,
ff_asf_guid mediatype, ff_asf_guid subtype,
- ff_asf_guid formattype, int size)
+ ff_asf_guid formattype, uint64_t size)
{
WtvContext *wtv = s->priv_data;
AVIOContext *pb = wtv->pb;
@@ -693,16 +693,20 @@ static AVStream * parse_media_type(AVFormatContext *s, AVStream *st, int sid,
int consumed = parse_videoinfoheader2(s, st);
avio_skip(pb, FFMAX(size - consumed, 0));
} else if (!ff_guidcmp(formattype, ff_format_mpeg2_video)) {
- int consumed = parse_videoinfoheader2(s, st);
- int count;
- avio_skip(pb, 4);
- count = avio_rl32(pb);
- avio_skip(pb, 12);
- if (count && ff_get_extradata(st->codec, pb, count) < 0) {
- ff_free_stream(s, st);
- return NULL;
+ uint64_t consumed = parse_videoinfoheader2(s, st);
+ if (size - consumed >= 20) {
+ uint32_t count;
+ consumed += 20;
+ avio_skip(pb, 4);
+ count = avio_rl32(pb);
+ count = FFMIN(count, size - consumed);
+ avio_skip(pb, 12);
+ if (count && ff_get_extradata(st->codec, pb, count) < 0) {
+ ff_free_stream(s, st);
+ return NULL;
+ }
+ consumed += count;
}
- consumed += 20 + count;
avio_skip(pb, FFMAX(size - consumed, 0));
} else {
if (ff_guidcmp(formattype, ff_format_none))
generated by cgit v1.2.3 (git 2.25.1) at 2024-12-14 06:05:21 +0000