asfdec_o: check for too small size in asf_read_unknown

This fixes infinite loops due to seeking back. Reviewed-by: Alexandra Hájková <alexandra.khirnova@gmail.com> Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>

asfdec_o: check for too small size in asf_read_unknown
This fixes infinite loops due to seeking back. Reviewed-by: Alexandra Hájková <alexandra.khirnova@gmail.com> Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
c29e87ad · Andreas Cadhalpun · 0e32153e · c29e87ad
Commit c29e87ad authored Jan 06, 2016 by Andreas Cadhalpun
Show whitespace changes
Inline Side-by-side

Showing with 6 additions and 1 deletion

asfdec_o.c libavformat/asfdec_o.c +6 -1

No files found.
--- a/libavformat/asfdec_o.c
+++ b/libavformat/asfdec_o.c
@@ -190,8 +190,13 @@ static int asf_read_unknown(AVFormatContext *s, const GUIDParseTable *g)
        if ((ret = detect_unknown_subobject(s, asf->unknown_offset,
                                            asf->unknown_size)) < 0)
            return ret;
-    } else
+    } else {
+        if (size < 24) {
+            av_log(s, AV_LOG_ERROR, "Too small size %"PRIu64" (< 24).\n", size);
+            return AVERROR_INVALIDDATA;
+        }
        avio_skip(pb, size - 24);
+    }

    return 0;
 }