Re: [libav-devel] [PATCH] asfdec: prevent the infinite loop in detect unknown_subobject

Andreas Cadhalpun Thu, 02 Jul 2015 13:06:08 -0700

On 02.07.2015 14:17, Alexandra Hájková wrote:
> ---
>  libavformat/asfdec.c | 2 ++
>  1 file changed, 2 insertions(+)
> 
> diff --git a/libavformat/asfdec.c b/libavformat/asfdec.c
> index 45c86e1..58769d9 100644
> --- a/libavformat/asfdec.c
> +++ b/libavformat/asfdec.c
> @@ -1593,6 +1593,8 @@ static int detect_unknown_subobject(AVFormatContext *s, 
> int64_t offset, int64_t
>      int ret;
>  
>      while (avio_tell(pb) <= offset + size) {
> +        if (avio_tell(pb) == asf->offset)
> +            break;
>          asf->offset = avio_tell(pb);
>          if ((ret = ff_get_guid(pb, &guid)) < 0)
>              return ret;


That fixes the hang I meant.

There is also a different hang in the while loop of asf_read_header,
caused by an overflow of 'offset + size' in align_position.

Best regards,
Andreas

_______________________________________________
libav-devel mailing list
[email protected]
https://lists.libav.org/mailman/listinfo/libav-devel

Re: [libav-devel] [PATCH] asfdec: prevent the infinite loop in detect unknown_subobject

Reply via email to