Mercurial > mplayer.hg

changeset 32745:64be018ebafa

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Check that rlen is valid before using it to increment a pointer.
author reimar
date Sun, 30 Jan 2011 10:38:10 +0000
parents c8475dec7a3f
children 2372e26d24fe
files libmpdemux/demux_asf.c
diffstat 1 files changed, 4 insertions(+), 0 deletions(-) [+]
line wrap: on
line diff
--- a/libmpdemux/demux_asf.c	Sun Jan 30 10:35:00 2011 +0000
+++ b/libmpdemux/demux_asf.c	Sun Jan 30 10:38:10 2011 +0000
@@ -469,6 +469,10 @@
 	      rlen = read_varlen(&p, segtype, 0);
 
 //	      printf("### rlen=%d   \n",rlen);
+              if (rlen < 0 || rlen > p_end - p) {
+                mp_msg(MSGT_DEMUX, MSGL_V, "invalid rlen=%d\n", rlen);
+                break;
+              }
 
               switch(rlen){
               case 0x01: // 1 = special, means grouping