1
0
mirror of https://github.com/FFmpeg/FFmpeg.git synced 2025-01-13 21:28:01 +02:00

asfdec: Check packet_replic_size earlier

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
This commit is contained in:
Michael Niedermayer 2011-10-31 22:42:45 +01:00
parent 8475ec190c
commit 60fcc19bff

View File

@ -822,6 +822,10 @@ static int asf_read_frame_header(AVFormatContext *s, AVIOContext *pb){
DO_2BITS(asf->packet_property >> 2, asf->packet_frag_offset, 0);
DO_2BITS(asf->packet_property, asf->packet_replic_size, 0);
//printf("key:%d stream:%d seq:%d offset:%d replic_size:%d\n", asf->packet_key_frame, asf->stream_index, asf->packet_seq, //asf->packet_frag_offset, asf->packet_replic_size);
if (rsize+asf->packet_replic_size > asf->packet_size_left) {
av_log(s, AV_LOG_ERROR, "packet_replic_size %d is invalid\n", asf->packet_replic_size);
return -1;
}
if (asf->packet_replic_size >= 8) {
asf->packet_obj_size = avio_rl32(pb);
if(asf->packet_obj_size >= (1<<24) || asf->packet_obj_size <= 0){
@ -856,10 +860,6 @@ static int asf_read_frame_header(AVFormatContext *s, AVIOContext *pb){
av_log(s, AV_LOG_ERROR, "unexpected packet_replic_size of %d\n", asf->packet_replic_size);
return -1;
}
if (rsize > asf->packet_size_left) {
av_log(s, AV_LOG_ERROR, "packet_replic_size is invalid\n");
return -1;
}
if (asf->packet_flags & 0x01) {
DO_2BITS(asf->packet_segsizetype >> 6, asf->packet_frag_size, 0); // 0 is illegal
if (rsize > asf->packet_size_left) {