[FFmpeg-cvslog] avformat/gifdec: make GIF_APP_EXT_LABEL parsing more robust

Michael Niedermayer git at videolan.org
Thu Oct 24 11:59:22 CEST 2013


ffmpeg | branch: release/2.0 | Michael Niedermayer <michaelni at gmx.at> | Fri Oct  4 22:56:02 2013 +0200| [7da810e68b76f7324f3f921999375fb876455f7a] | committer: Carl Eugen Hoyos

avformat/gifdec: make GIF_APP_EXT_LABEL parsing more robust

Fixes Ticket3021

Signed-off-by: Michael Niedermayer <michaelni at gmx.at>
(cherry picked from commit e1f8184a1a973fd7de1bf53578d09661ec7bad75)

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=7da810e68b76f7324f3f921999375fb876455f7a
---

 libavformat/gifdec.c |   26 ++++++++++++++++++--------
 1 file changed, 18 insertions(+), 8 deletions(-)

diff --git a/libavformat/gifdec.c b/libavformat/gifdec.c
index e05dc41..2981bca 100644
--- a/libavformat/gifdec.c
+++ b/libavformat/gifdec.c
@@ -164,16 +164,26 @@ static int gif_read_ext(AVFormatContext *s)
         if ((ret = avio_skip(pb, sb_size - 3)) < 0 )
             return ret;
     } else if (ext_label == GIF_APP_EXT_LABEL) {
-        uint8_t netscape_ext[sizeof(NETSCAPE_EXT_STR)-1 + 2];
+        uint8_t data[256];
 
-        if ((sb_size = avio_r8(pb)) != strlen(NETSCAPE_EXT_STR))
-            return 0;
-        ret = avio_read(pb, netscape_ext, sizeof(netscape_ext));
-        if (ret < sizeof(netscape_ext))
+        sb_size = avio_r8(pb);
+        ret = avio_read(pb, data, sb_size);
+        if (ret < 0 || !sb_size)
             return ret;
-        gdc->total_iter = avio_rl16(pb);
-        if (gdc->total_iter == 0)
-            gdc->total_iter = -1;
+
+        if (sb_size == strlen(NETSCAPE_EXT_STR)) {
+            sb_size = avio_r8(pb);
+            ret = avio_read(pb, data, sb_size);
+            if (ret < 0 || !sb_size)
+                return ret;
+
+            if (sb_size == 3 && data[0] == 1) {
+                gdc->total_iter = AV_RL16(data+1);
+
+                if (gdc->total_iter == 0)
+                    gdc->total_iter = -1;
+            }
+        }
     }
 
     if ((ret = gif_skip_subblocks(pb)) < 0)



More information about the ffmpeg-cvslog mailing list