aboutsummaryrefslogtreecommitdiffstats
path: root/libavformat
diff options
context:
space:
mode:
authorMichael Niedermayer <michaelni@gmx.at>2011-10-31 22:42:45 +0100
committerMichael Niedermayer <michaelni@gmx.at>2011-11-04 13:32:50 +0100
commit0e3dec6b08b16307c2bc276d1b4f8b96ab52414e (patch)
tree8ef7aded869f83c81cb5ca8789d0dba4a3cdca37 /libavformat
parent711e6c947b728b23e84f15152fa59ef8ae20de63 (diff)
downloadffmpeg-0e3dec6b08b16307c2bc276d1b4f8b96ab52414e.tar.gz
asfdec: Check packet_replic_size earlier
Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit 60fcc19bff49e0b1972eae014afc087afd94a415) Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Diffstat (limited to 'libavformat')
-rw-r--r--libavformat/asfdec.c8
1 files changed, 4 insertions, 4 deletions
diff --git a/libavformat/asfdec.c b/libavformat/asfdec.c
index 033bdede13..be8885d904 100644
--- a/libavformat/asfdec.c
+++ b/libavformat/asfdec.c
@@ -808,6 +808,10 @@ static int asf_read_frame_header(AVFormatContext *s, AVIOContext *pb){
DO_2BITS(asf->packet_property >> 2, asf->packet_frag_offset, 0);
DO_2BITS(asf->packet_property, asf->packet_replic_size, 0);
//printf("key:%d stream:%d seq:%d offset:%d replic_size:%d\n", asf->packet_key_frame, asf->stream_index, asf->packet_seq, //asf->packet_frag_offset, asf->packet_replic_size);
+ if (rsize+asf->packet_replic_size > asf->packet_size_left) {
+ av_log(s, AV_LOG_ERROR, "packet_replic_size %d is invalid\n", asf->packet_replic_size);
+ return -1;
+ }
if (asf->packet_replic_size >= 8) {
asf->packet_obj_size = avio_rl32(pb);
if(asf->packet_obj_size >= (1<<24) || asf->packet_obj_size <= 0){
@@ -842,10 +846,6 @@ static int asf_read_frame_header(AVFormatContext *s, AVIOContext *pb){
av_log(s, AV_LOG_ERROR, "unexpected packet_replic_size of %d\n", asf->packet_replic_size);
return -1;
}
- if (rsize > asf->packet_size_left) {
- av_log(s, AV_LOG_ERROR, "packet_replic_size is invalid\n");
- return -1;
- }
if (asf->packet_flags & 0x01) {
DO_2BITS(asf->packet_segsizetype >> 6, asf->packet_frag_size, 0); // 0 is illegal
if (rsize > asf->packet_size_left) {