aboutsummaryrefslogtreecommitdiff
path: root/gst-libs/ext/libav/libavformat/asfdec.c
diff options
context:
space:
mode:
Diffstat (limited to 'gst-libs/ext/libav/libavformat/asfdec.c')
-rw-r--r--gst-libs/ext/libav/libavformat/asfdec.c17
1 files changed, 15 insertions, 2 deletions
diff --git a/gst-libs/ext/libav/libavformat/asfdec.c b/gst-libs/ext/libav/libavformat/asfdec.c
index 91d285e..3b48788 100644
--- a/gst-libs/ext/libav/libavformat/asfdec.c
+++ b/gst-libs/ext/libav/libavformat/asfdec.c
@@ -202,6 +202,8 @@ static int asf_read_file_properties(AVFormatContext *s, int64_t size)
asf->hdr.flags = avio_rl32(pb);
asf->hdr.min_pktsize = avio_rl32(pb);
asf->hdr.max_pktsize = avio_rl32(pb);
+ if (asf->hdr.min_pktsize >= (1U<<29))
+ return AVERROR_INVALIDDATA;
asf->hdr.max_bitrate = avio_rl32(pb);
s->packet_size = asf->hdr.max_pktsize;
@@ -616,7 +618,9 @@ static int asf_read_header(AVFormatContext *s, AVFormatParameters *ap)
if (gsize < 24)
return -1;
if (!ff_guidcmp(&g, &ff_asf_file_header)) {
- asf_read_file_properties(s, gsize);
+ int ret = asf_read_file_properties(s, gsize);
+ if (ret < 0)
+ return ret;
} else if (!ff_guidcmp(&g, &ff_asf_stream_header)) {
asf_read_stream_properties(s, gsize);
} else if (!ff_guidcmp(&g, &ff_asf_comment_header)) {
@@ -757,7 +761,7 @@ static int ff_asf_get_packet(AVFormatContext *s, AVIOContext *pb)
c= avio_r8(pb);
d= avio_r8(pb);
rsize+=3;
- }else{
+ } else if (!pb->eof_reached) {
avio_seek(pb, -1, SEEK_CUR); //FIXME
}
@@ -789,6 +793,13 @@ static int ff_asf_get_packet(AVFormatContext *s, AVIOContext *pb)
asf->packet_segments = 1;
asf->packet_segsizetype = 0x80;
}
+ if (rsize > packet_length - padsize) {
+ asf->packet_size_left = 0;
+ av_log(s, AV_LOG_ERROR,
+ "invalid packet header length %d for pktlen %d-%d at %"PRId64"\n",
+ rsize, packet_length, padsize, avio_tell(pb));
+ return -1;
+ }
asf->packet_size_left = packet_length - padsize - rsize;
if (packet_length < asf->hdr.min_pktsize)
padsize += asf->hdr.min_pktsize - packet_length;
@@ -1081,6 +1092,8 @@ static int ff_asf_parse_packet(AVFormatContext *s, AVIOContext *pb, AVPacket *pk
//printf("packet %d %d\n", asf_st->pkt.size, asf->packet_frag_size);
asf_st->pkt.size = 0;
asf_st->pkt.data = 0;
+ asf_st->pkt.side_data_elems = 0;
+ asf_st->pkt.side_data = NULL;
break; // packet completed
}
}
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-10 20:04:37 +0000