ffmpeg | branch: release/2.8 | Andreas Cadhalpun <andreas.cadhal...@googlemail.com> | Tue Jan 5 13:06:51 2016 +0100| [d7fbd0366005b2d4abf06e97d623e078ccf3e160] | committer: Andreas Cadhalpun
asfdec_o: only set asf_pkt->data_size after sanity checks Otherwise invalid values are used unchecked in the next run. This can cause NULL pointer dereferencing. Reviewed-by: Alexandra Hájková <alexandra.khirn...@gmail.com> Signed-off-by: Andreas Cadhalpun <andreas.cadhal...@googlemail.com> (cherry picked from commit 763c572801a3db1cc7a2f07a52fee9d2e35ec95a) Signed-off-by: Andreas Cadhalpun <andreas.cadhal...@googlemail.com> > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=d7fbd0366005b2d4abf06e97d623e078ccf3e160 --- libavformat/asfdec_o.c | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/libavformat/asfdec_o.c b/libavformat/asfdec_o.c index 4a64000..3221253 100644 --- a/libavformat/asfdec_o.c +++ b/libavformat/asfdec_o.c @@ -1136,14 +1136,15 @@ static int asf_read_replicated_data(AVFormatContext *s, ASFPacket *asf_pkt) { ASFContext *asf = s->priv_data; AVIOContext *pb = s->pb; - int ret; + int ret, data_size; if (!asf_pkt->data_size) { - asf_pkt->data_size = asf_pkt->size_left = avio_rl32(pb); // read media object size - if (asf_pkt->data_size <= 0) + data_size = avio_rl32(pb); // read media object size + if (data_size <= 0) return AVERROR_INVALIDDATA; - if ((ret = av_new_packet(&asf_pkt->avpkt, asf_pkt->data_size)) < 0) + if ((ret = av_new_packet(&asf_pkt->avpkt, data_size)) < 0) return ret; + asf_pkt->data_size = asf_pkt->size_left = data_size; } else avio_skip(pb, 4); // reading of media object size is already done asf_pkt->dts = avio_rl32(pb); // read presentation time @@ -1212,14 +1213,15 @@ static int asf_read_single_payload(AVFormatContext *s, AVPacket *pkt, int64_t offset; uint64_t size; unsigned char *p; - int ret; + int ret, data_size; if (!asf_pkt->data_size) { - asf_pkt->data_size = asf_pkt->size_left = avio_rl32(pb); // read media object size - if (asf_pkt->data_size <= 0) + data_size = avio_rl32(pb); // read media object size + if (data_size <= 0) return AVERROR_EOF; - if ((ret = av_new_packet(&asf_pkt->avpkt, asf_pkt->data_size)) < 0) + if ((ret = av_new_packet(&asf_pkt->avpkt, data_size)) < 0) return ret; + asf_pkt->data_size = asf_pkt->size_left = data_size; } else avio_skip(pb, 4); // skip media object size asf_pkt->dts = avio_rl32(pb); // read presentation time _______________________________________________ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
