From: "Ronald S. Bultje" <[email protected]> This prevents failed assertions further down in the packet processing where we require non-negative values for packet_size_left.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: [email protected] --- libavformat/asfdec.c | 6 ++++++ 1 files changed, 6 insertions(+), 0 deletions(-) diff --git a/libavformat/asfdec.c b/libavformat/asfdec.c index bae0eac..ca194cf 100644 --- a/libavformat/asfdec.c +++ b/libavformat/asfdec.c @@ -789,6 +789,12 @@ static int ff_asf_get_packet(AVFormatContext *s, AVIOContext *pb) asf->packet_segments = 1; asf->packet_segsizetype = 0x80; } + if (rsize > packet_length - padsize) { + av_log(s, AV_LOG_ERROR, + "invalid packet header length %d for pktlen %d-%d at %"PRId64"\n", + rsize, packet_length, padsize, avio_tell(pb)); + return -1; + } asf->packet_size_left = packet_length - padsize - rsize; if (packet_length < asf->hdr.min_pktsize) padsize += asf->hdr.min_pktsize - packet_length; -- 1.7.7.4 _______________________________________________ libav-devel mailing list [email protected] https://lists.libav.org/mailman/listinfo/libav-devel
