From: Ronald S. Bultje <rsbultje@gmail.com>
Date: Fri, 17 Feb 2012 20:21:22 +0000 (-0800)
Subject: asf: error out on ridiculously large minpktsize values.
X-Git-Tag: v9_beta1~2684
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=6e57a02b9f639af53acfa9fc742c1341400818f8;p=platform%2Fupstream%2Flibav.git

asf: error out on ridiculously large minpktsize values.

They cause various issues further down in demuxing.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
---

diff --git a/libavformat/asfdec.c b/libavformat/asfdec.c
index 2922ecf..01411fa 100644
--- a/libavformat/asfdec.c
+++ b/libavformat/asfdec.c
@@ -202,6 +202,8 @@ static int asf_read_file_properties(AVFormatContext *s, int64_t size)
     asf->hdr.flags              = avio_rl32(pb);
     asf->hdr.min_pktsize        = avio_rl32(pb);
     asf->hdr.max_pktsize        = avio_rl32(pb);
+    if (asf->hdr.min_pktsize >= (1U<<29))
+        return AVERROR_INVALIDDATA;
     asf->hdr.max_bitrate        = avio_rl32(pb);
     s->packet_size = asf->hdr.max_pktsize;
 
@@ -616,7 +618,9 @@ static int asf_read_header(AVFormatContext *s)
         if (gsize < 24)
             return -1;
         if (!ff_guidcmp(&g, &ff_asf_file_header)) {
-            asf_read_file_properties(s, gsize);
+            int ret = asf_read_file_properties(s, gsize);
+            if (ret < 0)
+                return ret;
         } else if (!ff_guidcmp(&g, &ff_asf_stream_header)) {
             asf_read_stream_properties(s, gsize);
         } else if (!ff_guidcmp(&g, &ff_asf_comment_header)) {