[FFmpeg-cvslog] asfdec_o: check for too small size in asf_read_unknown

Andreas Cadhalpun git at videolan.org
Fri Jan 15 01:00:56 CET 2016


ffmpeg | branch: master | Andreas Cadhalpun <Andreas.Cadhalpun at googlemail.com> | Wed Jan  6 19:21:49 2016 +0100| [c29e87ad55a2be29cc8ac5c0e047512c1f5d34d4] | committer: Andreas Cadhalpun

asfdec_o: check for too small size in asf_read_unknown

This fixes infinite loops due to seeking back.

Reviewed-by: Alexandra Hájková <alexandra.khirnova at gmail.com>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun at googlemail.com>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=c29e87ad55a2be29cc8ac5c0e047512c1f5d34d4
---

 libavformat/asfdec_o.c |    7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/libavformat/asfdec_o.c b/libavformat/asfdec_o.c
index ca4a066..bc79f10 100644
--- a/libavformat/asfdec_o.c
+++ b/libavformat/asfdec_o.c
@@ -190,8 +190,13 @@ static int asf_read_unknown(AVFormatContext *s, const GUIDParseTable *g)
         if ((ret = detect_unknown_subobject(s, asf->unknown_offset,
                                             asf->unknown_size)) < 0)
             return ret;
-    } else
+    } else {
+        if (size < 24) {
+            av_log(s, AV_LOG_ERROR, "Too small size %"PRIu64" (< 24).\n", size);
+            return AVERROR_INVALIDDATA;
+        }
         avio_skip(pb, size - 24);
+    }
 
     return 0;
 }



More information about the ffmpeg-cvslog mailing list