Commit 763c5728 authored by Andreas Cadhalpun's avatar Andreas Cadhalpun

asfdec_o: only set asf_pkt->data_size after sanity checks

Otherwise invalid values are used unchecked in the next run.
This can cause NULL pointer dereferencing.
Reviewed-by: 's avatarAlexandra Hájková <alexandra.khirnova@gmail.com>
Signed-off-by: 's avatarAndreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
parent f8bc0137
...@@ -1136,14 +1136,15 @@ static int asf_read_replicated_data(AVFormatContext *s, ASFPacket *asf_pkt) ...@@ -1136,14 +1136,15 @@ static int asf_read_replicated_data(AVFormatContext *s, ASFPacket *asf_pkt)
{ {
ASFContext *asf = s->priv_data; ASFContext *asf = s->priv_data;
AVIOContext *pb = s->pb; AVIOContext *pb = s->pb;
int ret; int ret, data_size;
if (!asf_pkt->data_size) { if (!asf_pkt->data_size) {
asf_pkt->data_size = asf_pkt->size_left = avio_rl32(pb); // read media object size data_size = avio_rl32(pb); // read media object size
if (asf_pkt->data_size <= 0) if (data_size <= 0)
return AVERROR_INVALIDDATA; return AVERROR_INVALIDDATA;
if ((ret = av_new_packet(&asf_pkt->avpkt, asf_pkt->data_size)) < 0) if ((ret = av_new_packet(&asf_pkt->avpkt, data_size)) < 0)
return ret; return ret;
asf_pkt->data_size = asf_pkt->size_left = data_size;
} else } else
avio_skip(pb, 4); // reading of media object size is already done avio_skip(pb, 4); // reading of media object size is already done
asf_pkt->dts = avio_rl32(pb); // read presentation time asf_pkt->dts = avio_rl32(pb); // read presentation time
...@@ -1212,14 +1213,15 @@ static int asf_read_single_payload(AVFormatContext *s, AVPacket *pkt, ...@@ -1212,14 +1213,15 @@ static int asf_read_single_payload(AVFormatContext *s, AVPacket *pkt,
int64_t offset; int64_t offset;
uint64_t size; uint64_t size;
unsigned char *p; unsigned char *p;
int ret; int ret, data_size;
if (!asf_pkt->data_size) { if (!asf_pkt->data_size) {
asf_pkt->data_size = asf_pkt->size_left = avio_rl32(pb); // read media object size data_size = avio_rl32(pb); // read media object size
if (asf_pkt->data_size <= 0) if (data_size <= 0)
return AVERROR_EOF; return AVERROR_EOF;
if ((ret = av_new_packet(&asf_pkt->avpkt, asf_pkt->data_size)) < 0) if ((ret = av_new_packet(&asf_pkt->avpkt, data_size)) < 0)
return ret; return ret;
asf_pkt->data_size = asf_pkt->size_left = data_size;
} else } else
avio_skip(pb, 4); // skip media object size avio_skip(pb, 4); // skip media object size
asf_pkt->dts = avio_rl32(pb); // read presentation time asf_pkt->dts = avio_rl32(pb); // read presentation time
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment