[FFmpeg-cvslog] avformat/gifdec: make GIF_APP_EXT_LABEL parsing more robust
Michael Niedermayer
git at videolan.org
Fri Oct 4 23:39:23 CEST 2013
ffmpeg | branch: master | Michael Niedermayer <michaelni at gmx.at> | Fri Oct 4 22:56:02 2013 +0200| [e1f8184a1a973fd7de1bf53578d09661ec7bad75] | committer: Michael Niedermayer
avformat/gifdec: make GIF_APP_EXT_LABEL parsing more robust
Fixes Ticket3021
Signed-off-by: Michael Niedermayer <michaelni at gmx.at>
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=e1f8184a1a973fd7de1bf53578d09661ec7bad75
---
libavformat/gifdec.c | 26 ++++++++++++++++++--------
1 file changed, 18 insertions(+), 8 deletions(-)
diff --git a/libavformat/gifdec.c b/libavformat/gifdec.c
index e05dc41..2981bca 100644
--- a/libavformat/gifdec.c
+++ b/libavformat/gifdec.c
@@ -164,16 +164,26 @@ static int gif_read_ext(AVFormatContext *s)
if ((ret = avio_skip(pb, sb_size - 3)) < 0 )
return ret;
} else if (ext_label == GIF_APP_EXT_LABEL) {
- uint8_t netscape_ext[sizeof(NETSCAPE_EXT_STR)-1 + 2];
+ uint8_t data[256];
- if ((sb_size = avio_r8(pb)) != strlen(NETSCAPE_EXT_STR))
- return 0;
- ret = avio_read(pb, netscape_ext, sizeof(netscape_ext));
- if (ret < sizeof(netscape_ext))
+ sb_size = avio_r8(pb);
+ ret = avio_read(pb, data, sb_size);
+ if (ret < 0 || !sb_size)
return ret;
- gdc->total_iter = avio_rl16(pb);
- if (gdc->total_iter == 0)
- gdc->total_iter = -1;
+
+ if (sb_size == strlen(NETSCAPE_EXT_STR)) {
+ sb_size = avio_r8(pb);
+ ret = avio_read(pb, data, sb_size);
+ if (ret < 0 || !sb_size)
+ return ret;
+
+ if (sb_size == 3 && data[0] == 1) {
+ gdc->total_iter = AV_RL16(data+1);
+
+ if (gdc->total_iter == 0)
+ gdc->total_iter = -1;
+ }
+ }
}
if ((ret = gif_skip_subblocks(pb)) < 0)
More information about the ffmpeg-cvslog
mailing list