[FFmpeg-devel] [PATCH 4/8] Prevent the RM demuxer from returning uninitialized AVPacket in case of corrupted streams.

Michael Niedermayer michaelni at gmx.at
Sat Sep 17 18:25:12 CEST 2011


On Sat, Sep 17, 2011 at 04:56:32PM +0200, fenrir at elivagar.org wrote:
> From: Laurent Aimar <fenrir at videolan.org>
> 
> ---
>  libavformat/rmdec.c |    2 ++
>  1 files changed, 2 insertions(+), 0 deletions(-)
> 
> diff --git a/libavformat/rmdec.c b/libavformat/rmdec.c
> index 02ff7e9..1c96573 100644
> --- a/libavformat/rmdec.c
> +++ b/libavformat/rmdec.c
> @@ -764,6 +764,8 @@ ff_rm_parse_packet (AVFormatContext *s, AVIOContext *pb,
>               ast->sub_packet_cnt = 0;
>               rm->audio_stream_num = st->index;
>               rm->audio_pkt_cnt = h * w / st->codec->block_align;
> +             if (rm->audio_pkt_cnt <= 0)
> +                 return -1;

h*w should be checked for overflow. Also ive not exhaustively checked
but possibly simply replacing all the incorrect UINT_MAX checks by
INT_MAX would make the <0 unneeded

[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

Many things microsoft did are stupid, but not doing something just because
microsoft did it is even more stupid. If everything ms did were stupid they
would be bankrupt already.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20110917/4f094b01/attachment.asc>


More information about the ffmpeg-devel mailing list