[Ffmpeg-cvslog] r6361 - trunk/libavformat/asf.c

[michael]

Author: michael
Date: Wed Sep 27 23:19:47 2006
New Revision: 6361

Modified:
   trunk/libavformat/asf.c

Log:
prevent infinite loop with VORC012.WMA


Modified: trunk/libavformat/asf.c
==============================================================================
--- trunk/libavformat/asf.c	(original)
+++ trunk/libavformat/asf.c	Wed Sep 27 23:19:47 2006
@@ -521,6 +521,16 @@
     DO_2BITS(asf->packet_flags >> 1, padsize, 0); // sequence ignored
     DO_2BITS(asf->packet_flags >> 3, padsize, 0); // padding length
 
+    //the following checks prevent overflows and infinite loops
+    if(packet_length >= (1U<<29)){
+        av_log(s, AV_LOG_ERROR, "invalid packet_length %d at:%"PRId64"\n", packet_length, url_ftell(pb));
+        return 0; // FIXME this should be -1
+    }
+    if(padsize >= (1U<<29)){
+        av_log(s, AV_LOG_ERROR, "invalid padsize %d at:%"PRId64"\n", padsize, url_ftell(pb));
+        return 0; // FIXME this should be -1
+    }
+
     asf->packet_timestamp = get_le32(pb);
     get_le16(pb); /* duration */
     // rsize has at least 11 bytes which have to be present
@@ -557,6 +567,7 @@
             //printf("PacketLeftSize:%d  Pad:%d Pos:%Ld\n", asf->packet_size_left, asf->packet_padsize, url_ftell(pb));
             if((url_ftell(&s->pb) + ret - s->data_offset) % asf->packet_size)
                 ret += asf->packet_size - ((url_ftell(&s->pb) + ret - s->data_offset) % asf->packet_size);
+            assert(ret>=0);
             /* fail safe */
             url_fskip(pb, ret);
             asf->packet_pos= url_ftell(&s->pb);