diff options
| author | Michael Niedermayer <michaelni@gmx.at> | 2011-10-31 22:42:45 +0100 |
|---|---|---|
| committer | Michael Niedermayer <michaelni@gmx.at> | 2011-10-31 22:42:45 +0100 |
| commit | 60fcc19bff49e0b1972eae014afc087afd94a415 (patch) | |
| tree | cfe681aecc2944f39291626bbaf20d51ea73e266 /libavformat | |
| parent | 8475ec190c688e39cc8d2b4aa9048196ca7e775e (diff) | |
| download | ffmpeg-60fcc19bff49e0b1972eae014afc087afd94a415.tar.gz | |
asfdec: Check packet_replic_size earlier
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Diffstat (limited to 'libavformat')
| -rw-r--r-- | libavformat/asfdec.c | 8 |
1 files changed, 4 insertions, 4 deletions
diff --git a/libavformat/asfdec.c b/libavformat/asfdec.c index 3dc0b1716a..88cc3d59f9 100644 --- a/libavformat/asfdec.c +++ b/libavformat/asfdec.c @@ -822,6 +822,10 @@ static int asf_read_frame_header(AVFormatContext *s, AVIOContext *pb){ DO_2BITS(asf->packet_property >> 2, asf->packet_frag_offset, 0); DO_2BITS(asf->packet_property, asf->packet_replic_size, 0); //printf("key:%d stream:%d seq:%d offset:%d replic_size:%d\n", asf->packet_key_frame, asf->stream_index, asf->packet_seq, //asf->packet_frag_offset, asf->packet_replic_size); + if (rsize+asf->packet_replic_size > asf->packet_size_left) { + av_log(s, AV_LOG_ERROR, "packet_replic_size %d is invalid\n", asf->packet_replic_size); + return -1; + } if (asf->packet_replic_size >= 8) { asf->packet_obj_size = avio_rl32(pb); if(asf->packet_obj_size >= (1<<24) || asf->packet_obj_size <= 0){ @@ -856,10 +860,6 @@ static int asf_read_frame_header(AVFormatContext *s, AVIOContext *pb){ av_log(s, AV_LOG_ERROR, "unexpected packet_replic_size of %d\n", asf->packet_replic_size); return -1; } - if (rsize > asf->packet_size_left) { - av_log(s, AV_LOG_ERROR, "packet_replic_size is invalid\n"); - return -1; - } if (asf->packet_flags & 0x01) { DO_2BITS(asf->packet_segsizetype >> 6, asf->packet_frag_size, 0); // 0 is illegal if (rsize > asf->packet_size_left) { |