On Wed, 2011-05-04 at 04:38 +0200, Uoti Urpala wrote:
> Commit: 0bd433a916cd8d98fce47742fbf6d0f90ec941c4
>
> Author: Uoti Urpala <uoti.urpala.pp1.inet.fi>
> Committer: Ronald S. Bultje <[email protected]>
> Date: Sun Apr 24 07:21:30 2011 +0300
>
> asfdec: fix assert failure on invalid files
> diff --git a/libavformat/asfdec.c b/libavformat/asfdec.c
> index 637ceed..77c8449 100644
> --- a/libavformat/asfdec.c
> +++ b/libavformat/asfdec.c
> @@ -864,6 +864,10 @@ static int asf_read_frame_header(AVFormatContext *s,
> AVIOContext *pb){
> }
> //printf("Fragsize %d\n", asf->packet_frag_size);
> } else {
> + if (rsize > asf->packet_size_left) {
> + av_log(s, AV_LOG_ERROR, "packet_replic_size is invalid\n");
> + return -1;
This modified version of my patch does not fix all the routes to assert
failure for huge rsize: the check is now only done inside the "else"
branch and all "big enough" values will still cause a failure in the
other branch. Ronald probably thought that the check he added there,
"if (asf->packet_frag_size > asf->packet_size_left - rsize +
asf->packet_padsize) {",
would also protect against insane values. However, this doesn't work
because packet_frag_size is declared with an unsigned type, and thus all
large values of rsize will just make the right side of the comparison
wrap around instead of triggering the test.
I already mentioned this on IRC, but as it still isn't fixed I'm posting
here to reduce the probability of the issue being forgotten.
_______________________________________________
libav-devel mailing list
[email protected]
https://lists.libav.org/mailman/listinfo/libav-devel
