data_size after sanity checks

Andreas Cadhalpun Thu, 14 Jan 2016 16:02:30 -0800

On 05.01.2016 13:25, Andreas Cadhalpun wrote:
> Otherwise invalid values are used unchecked in the next run.
> This can cause NULL pointer dereferencing.
> 
> Signed-off-by: Andreas Cadhalpun <andreas.cadhal...@googlemail.com>
> ---
>  libavformat/asfdec_o.c | 18 ++++++++++--------
>  1 file changed, 10 insertions(+), 8 deletions(-)
> 
> diff --git a/libavformat/asfdec_o.c b/libavformat/asfdec_o.c
> index 38751d7..79b9ee4 100644
> --- a/libavformat/asfdec_o.c
> +++ b/libavformat/asfdec_o.c
> @@ -1136,14 +1136,15 @@ static int asf_read_replicated_data(AVFormatContext 
> *s, ASFPacket *asf_pkt)
>  {
>      ASFContext *asf = s->priv_data;
>      AVIOContext *pb = s->pb;
> -    int ret;
> +    int ret, data_size;
>  
>      if (!asf_pkt->data_size) {
> -        asf_pkt->data_size = asf_pkt->size_left = avio_rl32(pb); // read 
> media object size
> -        if (asf_pkt->data_size <= 0)
> +        data_size = avio_rl32(pb); // read media object size
> +        if (data_size <= 0)
>              return AVERROR_INVALIDDATA;
> -        if ((ret = av_new_packet(&asf_pkt->avpkt, asf_pkt->data_size)) < 0)
> +        if ((ret = av_new_packet(&asf_pkt->avpkt, data_size)) < 0)
>              return ret;
> +        asf_pkt->data_size = asf_pkt->size_left = data_size;
>      } else
>          avio_skip(pb, 4); // reading of media object size is already done
>      asf_pkt->dts = avio_rl32(pb); // read presentation time
> @@ -1212,14 +1213,15 @@ static int asf_read_single_payload(AVFormatContext 
> *s, AVPacket *pkt,
>      int64_t  offset;
>      uint64_t size;
>      unsigned char *p;
> -    int ret;
> +    int ret, data_size;
>  
>      if (!asf_pkt->data_size) {
> -        asf_pkt->data_size = asf_pkt->size_left = avio_rl32(pb); // read 
> media object size
> -        if (asf_pkt->data_size <= 0)
> +        data_size = avio_rl32(pb); // read media object size
> +        if (data_size <= 0)
>              return AVERROR_EOF;
> -        if ((ret = av_new_packet(&asf_pkt->avpkt, asf_pkt->data_size)) < 0)
> +        if ((ret = av_new_packet(&asf_pkt->avpkt, data_size)) < 0)
>              return ret;
> +        asf_pkt->data_size = asf_pkt->size_left = data_size;
>      } else
>          avio_skip(pb, 4); // skip media object size
>      asf_pkt->dts = avio_rl32(pb); // read presentation time
>


Pushed now, as Alexandra (the author over at Libav) seems fine with it.

Best regards,
Andreas
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-devel

Re: [FFmpeg-devel] [PATCH 1/2] asfdec_o: only set asf_pkt->data_size after sanity checks

Reply via email to