Mercurial > libavformat.hg
comparison asf.c @ 1709:7331d7153e0a libavformat
check fragment offset and size
yes this too could have been exploitable ...
| author | michael |
|---|---|
| date | Mon, 22 Jan 2007 16:37:45 +0000 |
| parents | 2c4d5a3fbab1 |
| children | 33a16d903dcc |
comparison
equal
deleted
inserted
replaced
| 1708:2c4d5a3fbab1 | 1709:7331d7153e0a |
|---|---|
| 701 // asf->packet_size, asf_st->pkt.size, asf->packet_frag_offset, | 701 // asf->packet_size, asf_st->pkt.size, asf->packet_frag_offset, |
| 702 // asf_st->frag_offset, asf->packet_frag_size, asf_st->pkt.data); | 702 // asf_st->frag_offset, asf->packet_frag_size, asf_st->pkt.data); |
| 703 asf->packet_size_left -= asf->packet_frag_size; | 703 asf->packet_size_left -= asf->packet_frag_size; |
| 704 if (asf->packet_size_left < 0) | 704 if (asf->packet_size_left < 0) |
| 705 continue; | 705 continue; |
| 706 | |
| 707 if( asf->packet_frag_offset >= asf_st->pkt.size | |
| 708 || asf->packet_frag_size > asf_st->pkt.size - asf->packet_frag_offset){ | |
| 709 av_log(s, AV_LOG_ERROR, "packet fragment position invalid %u,%u not in %u\n", | |
| 710 asf->packet_frag_offset, asf->packet_frag_size, asf_st->pkt.size); | |
| 711 continue; | |
| 712 } | |
| 713 | |
| 706 get_buffer(pb, asf_st->pkt.data + asf->packet_frag_offset, | 714 get_buffer(pb, asf_st->pkt.data + asf->packet_frag_offset, |
| 707 asf->packet_frag_size); | 715 asf->packet_frag_size); |
| 708 asf_st->frag_offset += asf->packet_frag_size; | 716 asf_st->frag_offset += asf->packet_frag_size; |
| 709 /* test if whole packet is read */ | 717 /* test if whole packet is read */ |
| 710 if (asf_st->frag_offset == asf_st->pkt.size) { | 718 if (asf_st->frag_offset == asf_st->pkt.size) { |