Mercurial > libavformat.hg

diff asf.c @ 1206:e60bf67d9bf8 libavformat

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
The reader ignores the size of the ASF data object and keeps on reading even beyond it. Therefore if the ASF file includes an index object at its end, the reader will treat the index like data, but of course will fail since it thinks that the data is corrupted. When reading an asf file with an index object, ffmpeg will complain at the end of the file that it read an invalid header. Patch by Kohn Emil Dan, < emild A cs P technion P ac P il > Original thead: Date: Apr 18, 2006 4:11 PM Subject: [Ffmpeg-devel] Two ASF related bugs and fixes
author gpoirier
date Sat, 29 Jul 2006 16:07:19 +0000
parents 6a5e58d2114b
children cf88f6719743
line wrap: on
line diff
--- a/asf.c	Sat Jul 29 15:36:13 2006 +0000
+++ b/asf.c	Sat Jul 29 16:07:19 2006 +0000
@@ -327,6 +327,12 @@
             pos2 = url_ftell(pb);
             url_fskip(pb, gsize - (pos2 - pos1 + 24));
         } else if (!memcmp(&g, &data_header, sizeof(GUID))) {
+            asf->data_object_offset = url_ftell(pb);
+            if (gsize != (uint64_t)-1 && gsize >= 24) {
+                asf->data_object_size = gsize - 24;
+            } else {
+                asf->data_object_size = (uint64_t)-1;
+            }
             break;
         } else if (!memcmp(&g, &comment_header, sizeof(GUID))) {
             int len1, len2, len3, len4, len5;
@@ -552,6 +558,9 @@
             /* fail safe */
             url_fskip(pb, ret);
             asf->packet_pos= url_ftell(&s->pb);
+            if (asf->data_object_size != (uint64_t)-1 &&
+                (asf->packet_pos - asf->data_object_offset >= asf->data_object_size))
+                return AVERROR_IO; /* Do not exceed the size of the data object */
             ret = asf_get_packet(s);
             //printf("READ ASF PACKET  %d   r:%d   c:%d\n", ret, asf->packet_size_left, pc++);
             if (ret < 0 || url_feof(pb))