# HG changeset patch
# User mru
# Date 1277392206 0
# Node ID 240beb8a3072a7246e83f26fff94fba2a3b0492b
# Parent  224077f3c564acb56d354d581037cea00039e885
asfdec: ensure number of streams is within bounds; remove VLA in asf_read_pts()

diff -r 224077f3c564 -r 240beb8a3072 asfdec.c
--- a/asfdec.c	Thu Jun 24 06:55:53 2010 +0000
+++ b/asfdec.c	Thu Jun 24 15:10:06 2010 +0000
@@ -35,6 +35,7 @@
 #undef NDEBUG
 #include <assert.h>
 
+#define ASF_MAX_STREAMS 127
 #define FRAME_HEADER_SIZE 17
 // Fix Me! FRAME_HEADER_SIZE may be different.
 
@@ -244,6 +245,11 @@
             int64_t pos1, pos2, start_time;
             int test_for_ext_stream_audio, is_dvr_ms_audio=0;
 
+            if (s->nb_streams == ASF_MAX_STREAMS) {
+                av_log(s, AV_LOG_ERROR, "too many streams\n");
+                return AVERROR(EINVAL);
+            }
+
             pos1 = url_ftell(pb);
 
             st = av_new_stream(s, 0);
@@ -1053,7 +1059,7 @@
     int64_t pts;
     int64_t pos= *ppos;
     int i;
-    int64_t start_pos[s->nb_streams];
+    int64_t start_pos[ASF_MAX_STREAMS];
 
     for(i=0; i<s->nb_streams; i++){
         start_pos[i]= pos;