diff options
| author | Ronald S. Bultje <rsbultje@gmail.com> | 2012-02-17 12:21:22 -0800 |
|---|---|---|
| committer | Reinhard Tartler <siretart@tauware.de> | 2012-02-29 14:21:57 +0100 |
| commit | 1c63d613721f9fb05dcf1646d00aabf5f63695eb (patch) | |
| tree | 7e8114366d296911853dcf9ade54b42e42dd98ce /libavformat | |
| parent | 2ad77c60ef862baa2afcdcb7e6f43dedabab38ef (diff) | |
| download | ffmpeg-1c63d613721f9fb05dcf1646d00aabf5f63695eb.tar.gz | |
asf: error out on ridiculously large minpktsize values.
They cause various issues further down in demuxing.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 6e57a02b9f639af53acfa9fc742c1341400818f8)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Diffstat (limited to 'libavformat')
| -rw-r--r-- | libavformat/asfdec.c | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/libavformat/asfdec.c b/libavformat/asfdec.c index eb93f14ecf..1fbe79bf5f 100644 --- a/libavformat/asfdec.c +++ b/libavformat/asfdec.c @@ -202,6 +202,8 @@ static int asf_read_file_properties(AVFormatContext *s, int64_t size) asf->hdr.flags = avio_rl32(pb); asf->hdr.min_pktsize = avio_rl32(pb); asf->hdr.max_pktsize = avio_rl32(pb); + if (asf->hdr.min_pktsize >= (1U<<29)) + return AVERROR_INVALIDDATA; asf->hdr.max_bitrate = avio_rl32(pb); s->packet_size = asf->hdr.max_pktsize; @@ -616,7 +618,9 @@ static int asf_read_header(AVFormatContext *s, AVFormatParameters *ap) if (gsize < 24) return -1; if (!ff_guidcmp(&g, &ff_asf_file_header)) { - asf_read_file_properties(s, gsize); + int ret = asf_read_file_properties(s, gsize); + if (ret < 0) + return ret; } else if (!ff_guidcmp(&g, &ff_asf_stream_header)) { asf_read_stream_properties(s, gsize); } else if (!ff_guidcmp(&g, &ff_asf_comment_header)) { |