diff options
author | Tomas Härdin <tomas.hardin@codemill.se> | 2012-01-26 13:21:36 +0100 |
---|---|---|
committer | Diego Biurrun <diego@biurrun.de> | 2012-02-09 12:42:59 +0100 |
commit | e352c96c1770f77f83cd73e6d0a286ac5541edf9 (patch) | |
tree | 06ed2327b6142a24afef9660cccb93d7326e5938 /libavformat | |
parent | 0373ec635d21c2738d7e4a8a76846753a76450aa (diff) | |
download | ffmpeg-e352c96c1770f77f83cd73e6d0a286ac5541edf9.tar.gz |
mxfdec: Fix infinite loop in mxf_packet_timestamps()
This can happen if an index table segment has a very large IndexStartPosition.
zzuf3.mxf is an example of such a file.
Signed-off-by: Diego Biurrun <diego@biurrun.de>
Diffstat (limited to 'libavformat')
-rw-r--r-- | libavformat/mxfdec.c | 11 |
1 files changed, 10 insertions, 1 deletions
diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index fd40fdb275..2efd287d9d 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -1761,7 +1761,7 @@ static int mxf_read_header(AVFormatContext *s) */ static void mxf_packet_timestamps(MXFContext *mxf, AVPacket *pkt) { - int64_t next_ofs; + int64_t last_ofs = -1, next_ofs; MXFIndexTable *t = &mxf->index_tables[0]; /* this is called from the OP1a demuxing logic, which means there @@ -1774,9 +1774,18 @@ static void mxf_packet_timestamps(MXFContext *mxf, AVPacket *pkt) if (mxf_edit_unit_absolute_offset(mxf, t, mxf->current_edit_unit + 1, NULL, &next_ofs, 0) < 0) break; + if (next_ofs <= last_ofs) { + /* large next_ofs didn't change or current_edit_unit wrapped + * around this fixes the infinite loop on zzuf3.mxf */ + av_log(mxf->fc, AV_LOG_ERROR, + "next_ofs didn't change. not deriving packet timestamps\n"); + return; + } + if (next_ofs > pkt->pos) break; + last_ofs = next_ofs; mxf->current_edit_unit++; } |