[FFmpeg-devel] [PATCH 2/2] asfdec_o: reject size > INT64_MAX in asf_read_unknown
Andreas Cadhalpun
andreas.cadhalpun at googlemail.com
Fri Jan 15 01:02:11 CET 2016
On 05.01.2016 13:26, Andreas Cadhalpun wrote:
> Both avio_skip and detect_unknown_subobject use int64_t for the size
> parameter.
>
> This fixes a segmentation fault due to infinite recursion.
>
> Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun at googlemail.com>
> ---
> libavformat/asfdec_o.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/libavformat/asfdec_o.c b/libavformat/asfdec_o.c
> index 79b9ee4..02809bb 100644
> --- a/libavformat/asfdec_o.c
> +++ b/libavformat/asfdec_o.c
> @@ -178,6 +178,9 @@ static int asf_read_unknown(AVFormatContext *s, const GUIDParseTable *g)
> uint64_t size = avio_rl64(pb);
> int ret;
>
> + if (size > INT64_MAX)
> + return AVERROR_INVALIDDATA;
> +
> if (asf->is_header)
> asf->unknown_size = size;
> asf->is_header = 0;
>
Pushed now, as Alexandra (the author over at Libav) seems fine with it.
Best regards,
Andreas
More information about the ffmpeg-devel
mailing list