[FFmpeg-cvslog] riff: fix infinite loop

Michael Niedermayer git at videolan.org
Wed Feb 6 00:21:20 CET 2013


ffmpeg | branch: release/1.1 | Michael Niedermayer <michaelni at gmx.at> | Tue Feb  5 18:31:27 2013 +0100| [5a97a5291a83d2053aa2380e36bda1998b7e24eb] | committer: Carl Eugen Hoyos

riff: fix infinite loop

Fixes Ticket2241

Signed-off-by: Michael Niedermayer <michaelni at gmx.at>
(cherry picked from commit a8343bfb6a3f00777943b94ff2969422f578f246)

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=5a97a5291a83d2053aa2380e36bda1998b7e24eb
---

 libavformat/riff.c |    8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/libavformat/riff.c b/libavformat/riff.c
index 573e417..c0b42c1 100644
--- a/libavformat/riff.c
+++ b/libavformat/riff.c
@@ -817,7 +817,13 @@ int ff_read_riff_info(AVFormatContext *s, int64_t size)
 
         chunk_code = avio_rl32(pb);
         chunk_size = avio_rl32(pb);
-
+        if (url_feof(pb)) {
+            if (chunk_code || chunk_size) {
+                av_log(s, AV_LOG_WARNING, "INFO subchunk truncated\n");
+                return AVERROR_INVALIDDATA;
+            }
+            break;
+        }
         if (chunk_size > end || end - chunk_size < cur || chunk_size == UINT_MAX) {
             avio_seek(pb, -9, SEEK_CUR);
             chunk_code = avio_rl32(pb);



More information about the ffmpeg-cvslog mailing list