Attached patch fixes an assertion failure that's fairly easy to trigger with corrupt files.
The asf seek regression triggered by the preroll changes (caused by binary seek fallback) is still there, anyone going to fix that? Disabling the utils.c fallback for asf should be enough. I'm not posting a patch for that one as the method of disabling it is a matter of opinion/style; I neither care what method libavformat uses for that nor want to discuss it.
>From 510006353fcbba1bf1cd64ab26a61190ab3e4ace Mon Sep 17 00:00:00 2001 From: Uoti Urpala <[email protected]> Date: Sun, 24 Apr 2011 07:21:30 +0300 Subject: [PATCH] asfdec: fix assert failure on invalid files Add an extra size validity check in asf_read_frame_header(). Without this asf->packet_size_left may become negative, which triggers an assertion failure later. --- libavformat/asfdec.c | 4 ++++ 1 files changed, 4 insertions(+), 0 deletions(-) diff --git a/libavformat/asfdec.c b/libavformat/asfdec.c index 8e10d68..06ed987 100644 --- a/libavformat/asfdec.c +++ b/libavformat/asfdec.c @@ -850,6 +850,10 @@ static int asf_read_frame_header(AVFormatContext *s, AVIOContext *pb){ av_log(s, AV_LOG_ERROR, "unexpected packet_replic_size of %d\n", asf->packet_replic_size); return -1; } + if (rsize > asf->packet_size_left) { + av_log(s, AV_LOG_ERROR, "packet_replic_size is invalid\n"); + return -1; + } if (asf->packet_flags & 0x01) { DO_2BITS(asf->packet_segsizetype >> 6, asf->packet_frag_size, 0); // 0 is illegal if(asf->packet_frag_size > asf->packet_size_left - rsize){ -- 1.7.5.rc1.5.g24078
_______________________________________________ libav-devel mailing list [email protected] https://lists.libav.org/mailman/listinfo/libav-devel
