[FFmpeg-cvslog] nutdec: abort if EOF is reached in decode_info_header/read_sm_data

Andreas Cadhalpun git at videolan.org
Mon Jul 20 10:48:09 CEST 2015


ffmpeg | branch: release/2.6 | Andreas Cadhalpun <Andreas.Cadhalpun at googlemail.com> | Wed May 20 00:34:42 2015 +0200| [cb921dd47f748542561e18e9daf6c0de1afa553f] | committer: Michael Niedermayer

nutdec: abort if EOF is reached in decode_info_header/read_sm_data

These loops can take a lot of time if count is very large.

Reviewed-by: Michael Niedermayer <michaelni at gmx.at>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun at googlemail.com>
(cherry picked from commit bb23a15df507440deb0dcf25099d321d0f73dc28)

Signed-off-by: Michael Niedermayer <michaelni at gmx.at>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=cb921dd47f748542561e18e9daf6c0de1afa553f
---

 libavformat/nutdec.c |   16 ++++++++++++----
 1 file changed, 12 insertions(+), 4 deletions(-)

diff --git a/libavformat/nutdec.c b/libavformat/nutdec.c
index cb0764a..056d6fb 100644
--- a/libavformat/nutdec.c
+++ b/libavformat/nutdec.c
@@ -492,7 +492,7 @@ static int decode_info_header(NUTContext *nut)
     AVIOContext *bc    = s->pb;
     uint64_t tmp, chapter_start, chapter_len;
     unsigned int stream_id_plus1, count;
-    int chapter_id, i;
+    int chapter_id, i, ret;
     int64_t value, end;
     char name[256], str_value[1024], type_str[256];
     const char *type;
@@ -534,7 +534,11 @@ static int decode_info_header(NUTContext *nut)
     }
 
     for (i = 0; i < count; i++) {
-        get_str(bc, name, sizeof(name));
+        ret = get_str(bc, name, sizeof(name));
+        if (ret < 0) {
+            av_log(s, AV_LOG_ERROR, "get_str failed while decoding info header\n");
+            return ret;
+        }
         value = get_s(bc);
         str_value[0] = 0;
 
@@ -845,14 +849,18 @@ static int read_sm_data(AVFormatContext *s, AVIOContext *bc, AVPacket *pkt, int
     int sample_rate = 0;
     int width = 0;
     int height = 0;
-    int i;
+    int i, ret;
 
     for (i=0; i<count; i++) {
         uint8_t name[256], str_value[256], type_str[256];
         int value;
         if (avio_tell(bc) >= maxpos)
             return AVERROR_INVALIDDATA;
-        get_str(bc, name, sizeof(name));
+        ret = get_str(bc, name, sizeof(name));
+        if (ret < 0) {
+            av_log(s, AV_LOG_ERROR, "get_str failed while reading sm data\n");
+            return ret;
+        }
         value = get_s(bc);
 
         if (value == -1) {



More information about the ffmpeg-cvslog mailing list