[MPlayer-cvslog] r26644 - trunk/libmpdemux/demux_asf.c
Michael Niedermayer
michaelni at gmx.at
Fri May 2 17:48:36 CEST 2008
On Fri, May 02, 2008 at 03:33:14PM +0200, eugeni wrote:
> Author: eugeni
> Date: Fri May 2 15:33:14 2008
> New Revision: 26644
>
> Log:
> Check ASF packet size before calling demux_asf_read_packet. Fixes segfault
> with damaged ASF files.
[...]
> @@ -501,6 +502,7 @@ static int demux_asf_fill_buffer(demuxer
> p++;
> //printf(" group part: %d bytes\n",len2);
> if(len2 > len - 1) break; // Not enough data
> + assert(len2 > 0 && len2 <= asf->packetsize);
> demux_asf_read_packet(demux,p,len2,streamno,seq,x,duration,-1,keyframe);
> p+=len2;
> len-=len2+1;
> @@ -513,8 +515,10 @@ static int demux_asf_fill_buffer(demuxer
> default:
> // NO GROUPING:
> //printf("fragment offset: %d \n",sh->x);
> - if (!asf->asf_is_dvr_ms || asf->found_first_key_frame)
> + if (!asf->asf_is_dvr_ms || asf->found_first_key_frame) {
> + assert(len > 0 && len <= asf->packetsize);
> demux_asf_read_packet(demux,p,len,streamno,seq,time2,duration,x,keyframe);
> + }
> p+=len;
> break;
How does adding assert() prevent a segfault?
And what kind of segfault is this? The writing data from the file outside
the buffer type or is it just reading? Not that i think that it would take
more than a minute to find a way to make the code write out of the buffers.
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
No great genius has ever existed without some touch of madness. -- Aristotle
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
URL: <http://lists.mplayerhq.hu/pipermail/mplayer-cvslog/attachments/20080502/a88954a9/attachment.pgp>
More information about the MPlayer-cvslog
mailing list