[FFmpeg-devel] [PATCH] asfdec: division by 0 on missing packet size

Fri Jul 3 13:24:16 CEST 2009

On Thu, Jul 02, 2009 at 09:26:51PM +0200, Michael Niedermayer wrote:
> > @@ -629,6 +632,7 @@
> >      DO_2BITS(asf->packet_flags >> 1, padsize, 0); // sequence ignored
> >      DO_2BITS(asf->packet_flags >> 3, padsize, 0); // padding length
> >  
> > +    if (!packet_length) packet_length = 16451;
> >      //the following checks prevent overflows and infinite loops
> >      if(packet_length >= (1U<<29)){
> >          av_log(s, AV_LOG_ERROR, "invalid packet_length %d at:%"PRId64"\n", packet_length, url_ftell(pb));
> 
> ehm
> an error message and return -1 seems a saner solution

This was just meant to demonstrate how I verified that patch to be
working without having a file that does not use packet_size.
I'd prefer to not check for this case at all, since I do not know 100%
sure that packet_length == 0 is invalid.
In addition, in most cases this is caught by the padsize >= packet_length
check anyway.
Correction: since it's >=, it will always be caught by this check, so
packet_length == 0 is already treated as invalid, do you want me to apply this:
Index: libavformat/asfdec.c
===================================================================

--- libavformat/asfdec.c        (revision 19331)
+++ libavformat/asfdec.c        (working copy)
@@ -633,7 +633,7 @@
     DO_2BITS(asf->packet_flags >> 3, padsize, 0); // padding length
 
     //the following checks prevent overflows and infinite loops
-    if(packet_length >= (1U<<29)){
+    if(!packet_length || packet_length >= (1U<<29)){
         av_log(s, AV_LOG_ERROR, "invalid packet_length %d at:%"PRId64"\n", packet_length, url_ftell(pb));
         return -1;
     }


