[FFmpeg-devel] [PATCH] asfdec: division by 0 on missing packet size

Thu Jul 2 21:26:51 CEST 2009

On Thu, Jul 02, 2009 at 05:43:37PM +0200, Reimar D?ffinger wrote:
> On Thu, Jul 02, 2009 at 04:19:14PM +0200, Michael Niedermayer wrote:
> > On Thu, Jul 02, 2009 at 03:24:30PM +0200, Reimar D?ffinger wrote:
> > > On Thu, Jul 02, 2009 at 02:55:56PM +0200, Michael Niedermayer wrote:
> > > > On Thu, Jul 02, 2009 at 02:35:44PM +0200, Reimar D?ffinger wrote:
> > > > > Hello,
> > > > > AFAICT there is no way to demux ASF without knowing the packet size,
> > > > > thus read_header should already fail instead of crashing at read_packet
> > > > > when we try to calulate modulus the packet size.
> > > > 
> > > > hmm, the packet size should not be essential for demuxing, have you tried
> > > > to hack the % with something silly?
> > > 
> > > Actually demuxing can't work without it, since the ASF file does not have to
> > > explicitly code that packet_length, it can instead specify that packet_size
> > > should be used, which then breaks the whole code.
> > 
> > yes but, if a file did not use the default packet size it should work, iam not
> > at all asking to do anything about files that use the default with it =0
> > my reasoning was just that the default being 0 cant be worse than there being
> > an explicit 0, if it causes a crash or such its a bug either way
> 
> If someone has a sample file, fine. Without one it is just adding code
> that nobody has any idea if it works or if/when it will crash.
> I have tried this hack, while decoding worked fine for _that_ file,
> there was a crash or endless loop when seeking, and I have no idea how
> it will behave on other files with or without the if (!packet_length)
> part.

> Index: libavformat/asfdec.c
> ===================================================================
> --- libavformat/asfdec.c        (revision 19325)
> +++ libavformat/asfdec.c        (working copy)
> @@ -595,6 +595,9 @@
>      int rsize = 8;
>      int c, d, e, off;
>  
> +    // if we do not know packet size, allow skipping up to 32 kB
> +    off= 32768;
> +    if (s->packet_size > 0)
>      off= (url_ftell(pb) - s->data_offset) % s->packet_size + 3;
>  
>      c=d=e=-1;

ok


> @@ -629,6 +632,7 @@
>      DO_2BITS(asf->packet_flags >> 1, padsize, 0); // sequence ignored
>      DO_2BITS(asf->packet_flags >> 3, padsize, 0); // padding length
>  
> +    if (!packet_length) packet_length = 16451;
>      //the following checks prevent overflows and infinite loops
>      if(packet_length >= (1U<<29)){
>          av_log(s, AV_LOG_ERROR, "invalid packet_length %d at:%"PRId64"\n", packet_length, url_ftell(pb));

ehm
an error message and return -1 seems a saner solution

[...]

-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

> ... defining _GNU_SOURCE...
For the love of all that is holy, and some that is not, don't do that.
-- Luca & Mans
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
URL: <http://lists.mplayerhq.hu/pipermail/ffmpeg-devel/attachments/20090702/35fe28a2/attachment.pgp>