Mercurial > libavformat.hg

diff asf.c @ 1709:7331d7153e0a libavformat

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
check fragment offset and size yes this too could have been exploitable ...
author michael
date Mon, 22 Jan 2007 16:37:45 +0000
parents 2c4d5a3fbab1
children 33a16d903dcc
line wrap: on
line diff
--- a/asf.c	Mon Jan 22 12:55:23 2007 +0000
+++ b/asf.c	Mon Jan 22 16:37:45 2007 +0000
@@ -703,6 +703,14 @@
         asf->packet_size_left -= asf->packet_frag_size;
         if (asf->packet_size_left < 0)
             continue;
+
+        if(   asf->packet_frag_offset >= asf_st->pkt.size
+           || asf->packet_frag_size > asf_st->pkt.size - asf->packet_frag_offset){
+            av_log(s, AV_LOG_ERROR, "packet fragment position invalid %u,%u not in %u\n",
+                asf->packet_frag_offset, asf->packet_frag_size, asf_st->pkt.size);
+            continue;
+        }
+
         get_buffer(pb, asf_st->pkt.data + asf->packet_frag_offset,
                    asf->packet_frag_size);
         asf_st->frag_offset += asf->packet_frag_size;