[MPlayer-cvslog] r26644 - trunk/libmpdemux/demux_asf.c

eugeni subversion at mplayerhq.hu
Fri May 2 15:33:14 CEST 2008


Author: eugeni
Date: Fri May  2 15:33:14 2008
New Revision: 26644

Log:
Check ASF packet size before calling demux_asf_read_packet. Fixes segfault
with damaged ASF files.


Modified:
   trunk/libmpdemux/demux_asf.c

Modified: trunk/libmpdemux/demux_asf.c
==============================================================================
--- trunk/libmpdemux/demux_asf.c	(original)
+++ trunk/libmpdemux/demux_asf.c	Fri May  2 15:33:14 2008
@@ -3,6 +3,7 @@
 #include <stdio.h>
 #include <stdlib.h>
 #include <unistd.h>
+#include <assert.h>
 
 #include "config.h"
 #include "mp_msg.h"
@@ -501,6 +502,7 @@ static int demux_asf_fill_buffer(demuxer
 		  p++;
                   //printf("  group part: %d bytes\n",len2);
                   if(len2 > len - 1) break; // Not enough data
+                  assert(len2 > 0 && len2 <= asf->packetsize);
                   demux_asf_read_packet(demux,p,len2,streamno,seq,x,duration,-1,keyframe);
                   p+=len2;
 		  len-=len2+1;
@@ -513,8 +515,10 @@ static int demux_asf_fill_buffer(demuxer
               default:
                 // NO GROUPING:
                 //printf("fragment offset: %d  \n",sh->x);
-                if (!asf->asf_is_dvr_ms || asf->found_first_key_frame)
+                if (!asf->asf_is_dvr_ms || asf->found_first_key_frame) {
+                    assert(len > 0 && len <= asf->packetsize);
                     demux_asf_read_packet(demux,p,len,streamno,seq,time2,duration,x,keyframe);
+                }
                 p+=len;
                 break;
 	      }



More information about the MPlayer-cvslog mailing list