From: Uoti Urpala <[email protected]> Add an extra size validity check in asf_read_frame_header(). Without this asf->packet_size_left may become negative, which triggers an assertion failure later.
Signed-off-by: Ronald S. Bultje <[email protected]> --- libavformat/asfdec.c | 5 +++++ 1 files changed, 5 insertions(+), 0 deletions(-) diff --git a/libavformat/asfdec.c b/libavformat/asfdec.c index 637ceed..76cd7a7 100644 --- a/libavformat/asfdec.c +++ b/libavformat/asfdec.c @@ -852,6 +852,7 @@ static int asf_read_frame_header(AVFormatContext *s, AVIOContext *pb){ } if (asf->packet_flags & 0x01) { DO_2BITS(asf->packet_segsizetype >> 6, asf->packet_frag_size, 0); // 0 is illegal + if(asf->packet_frag_size > asf->packet_size_left - rsize){ if (asf->packet_frag_size > asf->packet_size_left - rsize + asf->packet_padsize) { av_log(s, AV_LOG_ERROR, "packet_frag_size is invalid (%d-%d)\n", asf->packet_size_left, rsize); @@ -864,6 +865,10 @@ static int asf_read_frame_header(AVFormatContext *s, AVIOContext *pb){ } //printf("Fragsize %d\n", asf->packet_frag_size); } else { + if (rsize > asf->packet_size_left) { + av_log(s, AV_LOG_ERROR, "packet_replic_size is invalid\n"); + return -1; + } asf->packet_frag_size = asf->packet_size_left - rsize; //printf("Using rest %d %d %d\n", asf->packet_frag_size, asf->packet_size_left, rsize); } -- 1.7.2.1 _______________________________________________ libav-devel mailing list [email protected] https://lists.libav.org/mailman/listinfo/libav-devel
