Mercurial > libavformat.hg

changeset 1709:7331d7153e0a libavformat

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
check fragment offset and size yes this too could have been exploitable ...
author michael
date Mon, 22 Jan 2007 16:37:45 +0000
parents 2c4d5a3fbab1
children 33a16d903dcc
files asf.c asf.h
diffstat 2 files changed, 10 insertions(+), 2 deletions(-) [+]
line wrap: on
line diff
--- a/asf.c	Mon Jan 22 12:55:23 2007 +0000
+++ b/asf.c	Mon Jan 22 16:37:45 2007 +0000
@@ -703,6 +703,14 @@
         asf->packet_size_left -= asf->packet_frag_size;
         if (asf->packet_size_left < 0)
             continue;
+
+        if(   asf->packet_frag_offset >= asf_st->pkt.size
+           || asf->packet_frag_size > asf_st->pkt.size - asf->packet_frag_offset){
+            av_log(s, AV_LOG_ERROR, "packet fragment position invalid %u,%u not in %u\n",
+                asf->packet_frag_offset, asf->packet_frag_size, asf_st->pkt.size);
+            continue;
+        }
+
         get_buffer(pb, asf_st->pkt.data + asf->packet_frag_offset,
                    asf->packet_frag_size);
         asf_st->frag_offset += asf->packet_frag_size;
--- a/asf.h	Mon Jan 22 12:55:23 2007 +0000
+++ b/asf.h	Mon Jan 22 16:37:45 2007 +0000
@@ -106,8 +106,8 @@
     int packet_replic_size;
     int packet_key_frame;
     int packet_padsize;
-    int packet_frag_offset;
-    int packet_frag_size;
+    unsigned int packet_frag_offset;
+    unsigned int packet_frag_size;
     int packet_frag_timestamp;
     int packet_multi_size;
     int packet_obj_size;