virtualenv/FFmpeg
1
0
Fork 0
mirror of https://github.com/FFmpeg/FFmpeg.git synced 2025-08-10 06:10:52 +02:00
Code Issues Releases Activity

avformat/rtpdec_asf: Fix potential pointer overflow

Browse Source 
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
This commit is contained in:
Michael Niedermayer
2015-04-12 17:41:23 +02:00
parent 870ec3f69e
commit 445a02b1ec
1 changed files with 5 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
libavformat/rtpdec_asf.c
View File

@@ -54,6 +54,7 @@ static int rtp_asf_fix_header(uint8_t *buf, int len)
p += sizeof(ff_asf_guid) + 14; p += sizeof(ff_asf_guid) + 14;
do { do {
uint64_t chunksize = AV_RL64(p + sizeof(ff_asf_guid)); uint64_t chunksize = AV_RL64(p + sizeof(ff_asf_guid));
int skip = 6 * 8 + 3 * 4 + sizeof(ff_asf_guid) * 2;
if (memcmp(p, ff_asf_file_header, sizeof(ff_asf_guid))) { if (memcmp(p, ff_asf_file_header, sizeof(ff_asf_guid))) {
if (chunksize > end - p) if (chunksize > end - p)
return -1; return -1;
@@ -61,9 +62,11 @@ static int rtp_asf_fix_header(uint8_t *buf, int len)
continue; continue;
} }
if (end - p < 8 + skip)
break;
/* skip most of the file header, to min_pktsize */ /* skip most of the file header, to min_pktsize */
p += 6 * 8 + 3 * 4 + sizeof(ff_asf_guid) * 2; p += skip;
if (p + 8 <= end && AV_RL32(p) == AV_RL32(p + 4)) { if (AV_RL32(p) == AV_RL32(p + 4)) {
/* and set that to zero */ /* and set that to zero */
AV_WL32(p, 0); AV_WL32(p, 0);
return 0; return 0;