Commit 445a02b1 authored by Michael Niedermayer's avatar Michael Niedermayer

avformat/rtpdec_asf: Fix potential pointer overflow

Signed-off-by: 's avatarMichael Niedermayer <michaelni@gmx.at>
parent 870ec3f6
...@@ -54,6 +54,7 @@ static int rtp_asf_fix_header(uint8_t *buf, int len) ...@@ -54,6 +54,7 @@ static int rtp_asf_fix_header(uint8_t *buf, int len)
p += sizeof(ff_asf_guid) + 14; p += sizeof(ff_asf_guid) + 14;
do { do {
uint64_t chunksize = AV_RL64(p + sizeof(ff_asf_guid)); uint64_t chunksize = AV_RL64(p + sizeof(ff_asf_guid));
int skip = 6 * 8 + 3 * 4 + sizeof(ff_asf_guid) * 2;
if (memcmp(p, ff_asf_file_header, sizeof(ff_asf_guid))) { if (memcmp(p, ff_asf_file_header, sizeof(ff_asf_guid))) {
if (chunksize > end - p) if (chunksize > end - p)
return -1; return -1;
...@@ -61,9 +62,11 @@ static int rtp_asf_fix_header(uint8_t *buf, int len) ...@@ -61,9 +62,11 @@ static int rtp_asf_fix_header(uint8_t *buf, int len)
continue; continue;
} }
if (end - p < 8 + skip)
break;
/* skip most of the file header, to min_pktsize */ /* skip most of the file header, to min_pktsize */
p += 6 * 8 + 3 * 4 + sizeof(ff_asf_guid) * 2; p += skip;
if (p + 8 <= end && AV_RL32(p) == AV_RL32(p + 4)) { if (AV_RL32(p) == AV_RL32(p + 4)) {
/* and set that to zero */ /* and set that to zero */
AV_WL32(p, 0); AV_WL32(p, 0);
return 0; return 0;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment