Mercurial > libavformat.hg
comparison asf.c @ 1709:7331d7153e0a libavformat
check fragment offset and size
yes this too could have been exploitable ...
author | michael |
---|---|
date | Mon, 22 Jan 2007 16:37:45 +0000 |
parents | 2c4d5a3fbab1 |
children | 33a16d903dcc |
comparison
equal
deleted
inserted
replaced
1708:2c4d5a3fbab1 | 1709:7331d7153e0a |
---|---|
701 // asf->packet_size, asf_st->pkt.size, asf->packet_frag_offset, | 701 // asf->packet_size, asf_st->pkt.size, asf->packet_frag_offset, |
702 // asf_st->frag_offset, asf->packet_frag_size, asf_st->pkt.data); | 702 // asf_st->frag_offset, asf->packet_frag_size, asf_st->pkt.data); |
703 asf->packet_size_left -= asf->packet_frag_size; | 703 asf->packet_size_left -= asf->packet_frag_size; |
704 if (asf->packet_size_left < 0) | 704 if (asf->packet_size_left < 0) |
705 continue; | 705 continue; |
706 | |
707 if( asf->packet_frag_offset >= asf_st->pkt.size | |
708 || asf->packet_frag_size > asf_st->pkt.size - asf->packet_frag_offset){ | |
709 av_log(s, AV_LOG_ERROR, "packet fragment position invalid %u,%u not in %u\n", | |
710 asf->packet_frag_offset, asf->packet_frag_size, asf_st->pkt.size); | |
711 continue; | |
712 } | |
713 | |
706 get_buffer(pb, asf_st->pkt.data + asf->packet_frag_offset, | 714 get_buffer(pb, asf_st->pkt.data + asf->packet_frag_offset, |
707 asf->packet_frag_size); | 715 asf->packet_frag_size); |
708 asf_st->frag_offset += asf->packet_frag_size; | 716 asf_st->frag_offset += asf->packet_frag_size; |
709 /* test if whole packet is read */ | 717 /* test if whole packet is read */ |
710 if (asf_st->frag_offset == asf_st->pkt.size) { | 718 if (asf_st->frag_offset == asf_st->pkt.size) { |