[FFmpeg-cvslog] asfdec_o: only set asf_pkt->data_size after sanity checks

Andreas Cadhalpun git at videolan.org
Thu Jan 28 00:44:36 CET 2016 

ffmpeg | branch: release/2.8 | Andreas Cadhalpun <Andreas.Cadhalpun at googlemail.com> | Tue Jan  5 13:06:51 2016 +0100| [d7fbd0366005b2d4abf06e97d623e078ccf3e160] | committer: Andreas Cadhalpun

asfdec_o: only set asf_pkt->data_size after sanity checks

Otherwise invalid values are used unchecked in the next run.
This can cause NULL pointer dereferencing.

Reviewed-by: Alexandra Hájková <alexandra.khirnova at gmail.com>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun at googlemail.com>
(cherry picked from commit 763c572801a3db1cc7a2f07a52fee9d2e35ec95a)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun at googlemail.com>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=d7fbd0366005b2d4abf06e97d623e078ccf3e160
---

 libavformat/asfdec_o.c |   18 ++++++++++--------
 1 file changed, 10 insertions(+), 8 deletions(-)

diff --git a/libavformat/asfdec_o.c b/libavformat/asfdec_o.c
index 4a64000..3221253 100644
--- a/libavformat/asfdec_o.c
+++ b/libavformat/asfdec_o.c
@@ -1136,14 +1136,15 @@ static int asf_read_replicated_data(AVFormatContext *s, ASFPacket *asf_pkt)
 {
     ASFContext *asf = s->priv_data;
     AVIOContext *pb = s->pb;
-    int ret;
+    int ret, data_size;
 
     if (!asf_pkt->data_size) {
-        asf_pkt->data_size = asf_pkt->size_left = avio_rl32(pb); // read media object size
-        if (asf_pkt->data_size <= 0)
+        data_size = avio_rl32(pb); // read media object size
+        if (data_size <= 0)
             return AVERROR_INVALIDDATA;
-        if ((ret = av_new_packet(&asf_pkt->avpkt, asf_pkt->data_size)) < 0)
+        if ((ret = av_new_packet(&asf_pkt->avpkt, data_size)) < 0)
             return ret;
+        asf_pkt->data_size = asf_pkt->size_left = data_size;
     } else
         avio_skip(pb, 4); // reading of media object size is already done
     asf_pkt->dts = avio_rl32(pb); // read presentation time
@@ -1212,14 +1213,15 @@ static int asf_read_single_payload(AVFormatContext *s, AVPacket *pkt,
     int64_t  offset;
     uint64_t size;
     unsigned char *p;
-    int ret;
+    int ret, data_size;
 
     if (!asf_pkt->data_size) {
-        asf_pkt->data_size = asf_pkt->size_left = avio_rl32(pb); // read media object size
-        if (asf_pkt->data_size <= 0)
+        data_size = avio_rl32(pb); // read media object size
+        if (data_size <= 0)
             return AVERROR_EOF;
-        if ((ret = av_new_packet(&asf_pkt->avpkt, asf_pkt->data_size)) < 0)
+        if ((ret = av_new_packet(&asf_pkt->avpkt, data_size)) < 0)
             return ret;
+        asf_pkt->data_size = asf_pkt->size_left = data_size;
     } else
         avio_skip(pb, 4); // skip media object size
     asf_pkt->dts = avio_rl32(pb); // read presentation time

More information about the ffmpeg-cvslog mailing list