On 2014-10-27 16:27, Michael Niedermayer wrote:
Fixes Ticket4040Signed-off-by: Michael Niedermayer <michae...@gmx.at> --- libavformat/mxfdec.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index b01dd0c..a1abc34 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -2211,6 +2211,13 @@ end: avio_seek(s->pb, mxf->run_in, SEEK_SET); } +static uint64_t loop_detection_state(AVFormatContext *s) +{ + MXFContext *mxf = s->priv_data; + + return avio_tell(s->pb) + 0xA987654321*!mxf->current_partition; +} +
What the hell? Just use a flag or something, or mxf->parsing_backward (preferably)
static int mxf_read_header(AVFormatContext *s) { MXFContext *mxf = s->priv_data; @@ -2235,12 +2242,12 @@ static int mxf_read_header(AVFormatContext *s) while (!avio_feof(s->pb)) { const MXFMetadataReadTableEntry *metadata; - if (avio_tell(s->pb) == last_pos) { + if (loop_detection_state(s) == last_pos) {av_log(mxf->fc, AV_LOG_ERROR, "MXF structure loop detected\n");return AVERROR_INVALIDDATA; } if ((1ULL<<61) % last_pos_index++ == 0)
This looks extremely dubious, but I see 1c010fd03 was a stop gap to fix a an issue discovered by fuzzing. Why didn't anyone poke my on IRC about it? I have furniture to move today, after that I might have some time to develop an non-awful fix.
/Tomas _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-devel
