[FFmpeg-devel] [PATCH 5/5] avformat/mxfdec: fix and enhance RIP KLV length checks

Fri Apr 12 02:09:20 EEST 2019

KLV length is BER encoded (variable size), but the code assumed the encoding to
always use 4 bytes.

Fixes parsing Random Index Pack in samples/MXF/issue2160/PW0805A0V01.4C5B5636.EFA330.mxf.

Signed-off-by: Marton Balint <cus at passwd.hu>
---
 libavformat/mxfdec.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c
index 6f0f87763d..a69f2f1996 100644
--- a/libavformat/mxfdec.c
+++ b/libavformat/mxfdec.c
@@ -3126,9 +3126,12 @@ static void mxf_read_random_index_pack(AVFormatContext *s)
         goto end;
     avio_seek(s->pb, file_size - length, SEEK_SET);
     if (klv_read_packet(&klv, s->pb) < 0 ||
-        !IS_KLV_KEY(klv.key, mxf_random_index_pack_key) ||
-        klv.length != length - 20)
+        !IS_KLV_KEY(klv.key, mxf_random_index_pack_key))
         goto end;
+    if (klv.next_klv != file_size || klv.length <= 4 || (klv.length - 4) % 12) {
+        av_log(s, AV_LOG_WARNING, "Invalid RIP KLV length\n");
+        goto end;
+    }
 
     avio_skip(s->pb, klv.length - 12);
     mxf->footer_partition = avio_rb64(s->pb);
-- 
2.16.4

