[MPlayer-cvslog] r38223 - trunk/libmpdemux/asfheader.c

reimar subversion at mplayerhq.hu
Wed Jan 20 20:03:33 EET 2021


Author: reimar
Date: Wed Jan 20 20:03:33 2021
New Revision: 38223

Log:
asfheader.c: add sanity check of type_size.

Fixes trac issue #2358.

Modified:
   trunk/libmpdemux/asfheader.c

Modified: trunk/libmpdemux/asfheader.c
==============================================================================
--- trunk/libmpdemux/asfheader.c	Wed Jan 20 20:03:32 2021	(r38222)
+++ trunk/libmpdemux/asfheader.c	Wed Jan 20 20:03:33 2021	(r38223)
@@ -437,7 +437,9 @@ int read_asf_header(demuxer_t *demuxer,s
       audio_pos = pos - 16 - 8;
       streamh = (ASF_stream_header_t *)&hdr[sh_pos];
       le2me_ASF_stream_header_t(streamh);
+      if (streamh->type_size > hdr_len) goto len_err_out;
       audio_pos += 64; //16+16+4+4+4+16+4;
+      if (audio_pos + streamh->type_size > hdr_len) goto len_err_out;
       buffer = &hdr[audio_pos];
       sh_audio=new_sh_audio(demuxer,streamh->stream_no & 0x7F, NULL);
       sh_audio->needs_parsing = 1;
@@ -461,6 +463,7 @@ int read_asf_header(demuxer_t *demuxer,s
     pos += sizeof(ASF_stream_header_t);
     if (pos > hdr_len) goto len_err_out;
     le2me_ASF_stream_header_t(streamh);
+    if (streamh->type_size > hdr_len) goto len_err_out;
     mp_msg(MSGT_HEADER, MSGL_V, "stream type: %s\n",
             asf_chunk_type(streamh->type));
     mp_msg(MSGT_HEADER, MSGL_V, "stream concealment: %s\n",
@@ -491,6 +494,7 @@ int read_asf_header(demuxer_t *demuxer,s
         sh_video_t* sh_video=new_sh_video(demuxer,streamh->stream_no & 0x7F);
         mp_msg(MSGT_DEMUX, MSGL_INFO, MSGTR_VideoID, "asfheader", streamh->stream_no & 0x7F);
         len=streamh->type_size-(4+4+1+2);
+        if (len > streamh->type_size) goto len_err_out;
 	++video_streams;
 //        sh_video->bih=malloc(chunksize); memset(sh_video->bih,0,chunksize);
         sh_video->bih=calloc((len<sizeof(*sh_video->bih))?sizeof(*sh_video->bih):len,1);


More information about the MPlayer-cvslog mailing list