On Fri, Feb 17, 2012 at 2:34 PM, Ronald S. Bultje <[email protected]> wrote:
> From: "Ronald S. Bultje" <[email protected]>
>
> Seeking backwards after a 1-byte read will result in an infinite loop.
>
> Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
> CC: [email protected]
> ---
> libavformat/asfdec.c | 4 ++--
> 1 files changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/libavformat/asfdec.c b/libavformat/asfdec.c
> index 01411fa..818f82d 100644
> --- a/libavformat/asfdec.c
> +++ b/libavformat/asfdec.c
> @@ -761,8 +761,8 @@ static int ff_asf_get_packet(AVFormatContext *s,
> AVIOContext *pb)
> // if we do not know packet size, allow skipping up to 32 kB
> off= 32768;
> if (s->packet_size > 0)
> off= (avio_tell(pb) - s->data_offset) % s->packet_size + 3;
off is at least 3.
>
> c=d=e=-1;
> while(off-- > 0){
> c=d; d=e;
> e= avio_r8(pb);
> if(c == 0x82 && !d && !e)
This condition is guaranteed to be false the 1st and 2nd iterations
> break;
> }
[...]
> c= avio_r8(pb);
> d= avio_r8(pb);
> rsize+=3;
> - }else{
> - avio_seek(pb, -1, SEEK_CUR); //FIXME
> + } else {
> + av_log(s, AV_LOG_ERROR, "Invalid sync state 0x%x\n", c);
> }
This is seeking backward after a series of at least 3 one byte reads.
How is it causing an infinite loop.
_______________________________________________
libav-devel mailing list
[email protected]
https://lists.libav.org/mailman/listinfo/libav-devel
