Commit 5a4a4d78 authored by Reimar Döffinger's avatar Reimar Döffinger

Check size of "strf" header against size of enclosing "LIST" if there is one.

Originally committed as revision 19332 to svn://svn.ffmpeg.org/ffmpeg/trunk
parent b098b309
...@@ -252,6 +252,7 @@ static int avi_read_header(AVFormatContext *s, AVFormatParameters *ap) ...@@ -252,6 +252,7 @@ static int avi_read_header(AVFormatContext *s, AVFormatParameters *ap)
AVIStream *ast = NULL; AVIStream *ast = NULL;
int avih_width=0, avih_height=0; int avih_width=0, avih_height=0;
int amv_file_format=0; int amv_file_format=0;
uint64_t list_end = 0;
avi->stream_index= -1; avi->stream_index= -1;
...@@ -277,6 +278,7 @@ static int avi_read_header(AVFormatContext *s, AVFormatParameters *ap) ...@@ -277,6 +278,7 @@ static int avi_read_header(AVFormatContext *s, AVFormatParameters *ap)
switch(tag) { switch(tag) {
case MKTAG('L', 'I', 'S', 'T'): case MKTAG('L', 'I', 'S', 'T'):
list_end = url_ftell(pb) + size;
/* Ignored, except at start of video packets. */ /* Ignored, except at start of video packets. */
tag1 = get_le32(pb); tag1 = get_le32(pb);
#ifdef DEBUG #ifdef DEBUG
...@@ -445,6 +447,9 @@ static int avi_read_header(AVFormatContext *s, AVFormatParameters *ap) ...@@ -445,6 +447,9 @@ static int avi_read_header(AVFormatContext *s, AVFormatParameters *ap)
if (stream_index >= (unsigned)s->nb_streams || avi->dv_demux) { if (stream_index >= (unsigned)s->nb_streams || avi->dv_demux) {
url_fskip(pb, size); url_fskip(pb, size);
} else { } else {
uint64_t cur_pos = url_ftell(pb);
if (cur_pos < list_end)
size = FFMIN(size, list_end - cur_pos);
st = s->streams[stream_index]; st = s->streams[stream_index];
switch(codec_type) { switch(codec_type) {
case CODEC_TYPE_VIDEO: case CODEC_TYPE_VIDEO:
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment