On Thu, Jun 25, 2015 at 11:46:41PM +0200, Andreas Cadhalpun wrote: > Otherwise sm_size can be larger than size, which results in a negative > packet size. > > Signed-off-by: Andreas Cadhalpun <[email protected]> > --- > libavformat/nutdec.c | 7 ++++++- > 1 file changed, 6 insertions(+), 1 deletion(-)
>
> diff --git a/libavformat/nutdec.c b/libavformat/nutdec.c
> index 13fb399..43bd27b 100644
> --- a/libavformat/nutdec.c
> +++ b/libavformat/nutdec.c
> @@ -888,7 +888,7 @@ fail:
>
> static int read_sm_data(AVFormatContext *s, AVIOContext *bc, AVPacket *pkt,
> int is_meta, int64_t maxpos)
> {
> - int count = ffio_read_varlen(bc);
> + int count;
> int skip_start = 0;
> int skip_end = 0;
> int channels = 0;
> @@ -898,6 +898,11 @@ static int read_sm_data(AVFormatContext *s, AVIOContext
> *bc, AVPacket *pkt, int
> int height = 0;
> int i, ret;
>
> + if (avio_tell(bc) >= maxpos)
> + return AVERROR_INVALIDDATA;
> +
> + count = ffio_read_varlen(bc);
ffio_read_varlen() could move the position beyond maxpos yet return
0 so the loop with teh checks inside is skiped
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
Breaking DRM is a little like attempting to break through a door even
though the window is wide open and the only thing in the house is a bunch
of things you dont want and which you would get tomorrow for free anyway
signature.asc
Description: Digital signature
_______________________________________________ ffmpeg-devel mailing list [email protected] http://ffmpeg.org/mailman/listinfo/ffmpeg-devel
