Commit da6a40a6 authored by michael's avatar michael

check fragment offset and size

yes this too could have been exploitable ...


git-svn-id: file:///var/local/repositories/ffmpeg/trunk@7650 9553f0bf-9b14-0410-a0b8-cfaf0461ba5b
parent 286eb78a
...@@ -703,6 +703,14 @@ static int asf_read_packet(AVFormatContext *s, AVPacket *pkt) ...@@ -703,6 +703,14 @@ static int asf_read_packet(AVFormatContext *s, AVPacket *pkt)
asf->packet_size_left -= asf->packet_frag_size; asf->packet_size_left -= asf->packet_frag_size;
if (asf->packet_size_left < 0) if (asf->packet_size_left < 0)
continue; continue;
if( asf->packet_frag_offset >= asf_st->pkt.size
|| asf->packet_frag_size > asf_st->pkt.size - asf->packet_frag_offset){
av_log(s, AV_LOG_ERROR, "packet fragment position invalid %u,%u not in %u\n",
asf->packet_frag_offset, asf->packet_frag_size, asf_st->pkt.size);
continue;
}
get_buffer(pb, asf_st->pkt.data + asf->packet_frag_offset, get_buffer(pb, asf_st->pkt.data + asf->packet_frag_offset,
asf->packet_frag_size); asf->packet_frag_size);
asf_st->frag_offset += asf->packet_frag_size; asf_st->frag_offset += asf->packet_frag_size;
......
...@@ -106,8 +106,8 @@ typedef struct { ...@@ -106,8 +106,8 @@ typedef struct {
int packet_replic_size; int packet_replic_size;
int packet_key_frame; int packet_key_frame;
int packet_padsize; int packet_padsize;
int packet_frag_offset; unsigned int packet_frag_offset;
int packet_frag_size; unsigned int packet_frag_size;
int packet_frag_timestamp; int packet_frag_timestamp;
int packet_multi_size; int packet_multi_size;
int packet_obj_size; int packet_obj_size;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment