Commit ea4b2b5e authored by Michael Niedermayer's avatar Michael Niedermayer

do not misuse movi_end for checking chunk sizes

Originally committed as revision 10113 to svn://svn.ffmpeg.org/ffmpeg/trunk
parent 60a9966e
...@@ -48,6 +48,7 @@ typedef struct AVIStream { ...@@ -48,6 +48,7 @@ typedef struct AVIStream {
typedef struct { typedef struct {
int64_t riff_end; int64_t riff_end;
int64_t movi_end; int64_t movi_end;
int64_t fsize;
offset_t movi_list; offset_t movi_list;
int index_loaded; int index_loaded;
int is_odml; int is_odml;
...@@ -226,6 +227,10 @@ static int avi_read_header(AVFormatContext *s, AVFormatParameters *ap) ...@@ -226,6 +227,10 @@ static int avi_read_header(AVFormatContext *s, AVFormatParameters *ap)
if (get_riff(avi, pb) < 0) if (get_riff(avi, pb) < 0)
return -1; return -1;
avi->fsize = url_fsize(pb);
if(avi->fsize<=0)
avi->fsize= avi->riff_end;
/* first list tag */ /* first list tag */
stream_index = -1; stream_index = -1;
codec_type = -1; codec_type = -1;
...@@ -690,7 +695,7 @@ resync: ...@@ -690,7 +695,7 @@ resync:
n= 100; //invalid stream id n= 100; //invalid stream id
} }
//av_log(NULL, AV_LOG_DEBUG, "%X %X %X %X %X %X %X %X %"PRId64" %d %d\n", d[0], d[1], d[2], d[3], d[4], d[5], d[6], d[7], i, size, n); //av_log(NULL, AV_LOG_DEBUG, "%X %X %X %X %X %X %X %X %"PRId64" %d %d\n", d[0], d[1], d[2], d[3], d[4], d[5], d[6], d[7], i, size, n);
if(i + size > avi->movi_end || d[0]<0) if(i + size > avi->fsize || d[0]<0)
continue; continue;
//parse ix## //parse ix##
...@@ -755,7 +760,7 @@ resync: ...@@ -755,7 +760,7 @@ resync:
if ( d[0] >= '0' && d[0] <= '9' if ( d[0] >= '0' && d[0] <= '9'
&& d[1] >= '0' && d[1] <= '9' && d[1] >= '0' && d[1] <= '9'
&& ((d[2] == 'p' && d[3] == 'c')) && ((d[2] == 'p' && d[3] == 'c'))
&& n < s->nb_streams && i + size <= avi->movi_end) { && n < s->nb_streams && i + size <= avi->fsize) {
AVStream *st; AVStream *st;
int first, clr, flags, k, p; int first, clr, flags, k, p;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment