On 8/25/17, Michael Niedermayer <mich...@niedermayer.cc> wrote:
> From: ****** and *********(******) <tony.sh and wangchu....@alibaba-inc.com>
>
> Fixes: loop.asf
>
> Found-by: Xiaohei and Wangchu from Alibaba Security Team
> Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc>
> ---
> libavformat/asfdec_f.c | 9 ++++++++-
> 1 file changed, 8 insertions(+), 1 deletion(-)
>
> diff --git a/libavformat/asfdec_f.c b/libavformat/asfdec_f.c
> index be09a92bd1..00dd5ec41d 100644
> --- a/libavformat/asfdec_f.c
> +++ b/libavformat/asfdec_f.c
> @@ -749,13 +749,20 @@ static int asf_read_marker(AVFormatContext *s, int64_t
> size)
> count = avio_rl32(pb); // markers count
> avio_rl16(pb); // reserved 2 bytes
> name_len = avio_rl16(pb); // name length
> - for (i = 0; i < name_len; i++)
> + for (i = 0; i < name_len; i++) {
> + if (avio_feof(pb))
> + return AVERROR_INVALIDDATA;
> avio_r8(pb); // skip the name
This is very slow way to skip something.
> + }
> +
>
> for (i = 0; i < count; i++) {
> int64_t pres_time;
> int name_len;
>
> + if (avio_feof(pb))
> + return AVERROR_INVALIDDATA;
> +
> avio_rl64(pb); // offset, 8 bytes
> pres_time = avio_rl64(pb); // presentation time
> pres_time -= asf->hdr.preroll * 10000;
> --
> 2.14.1
>
> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel@ffmpeg.org
> http://ffmpeg.org/mailman/listinfo/ffmpeg-devel
>
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-devel
