From: Ronald S. Bultje <rbultje@google.com>
Date: Wed, 27 Apr 2011 22:42:16 +0000 (-0700)
Subject: asfdec: fix parsing of packets that overrun into padding.
X-Git-Tag: v0.7b2~132
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=f8b1245922cf4c7692750e9198cf57598f9647d5;p=platform%2Fupstream%2Flibav.git

asfdec: fix parsing of packets that overrun into padding.

Signed-off-by: Ronald S. Bultje <rsbultje@gmail.com>
---

diff --git a/libavformat/asfdec.c b/libavformat/asfdec.c
index 8e10d68..637ceed 100644
--- a/libavformat/asfdec.c
+++ b/libavformat/asfdec.c
@@ -853,8 +853,14 @@ static int asf_read_frame_header(AVFormatContext *s, AVIOContext *pb){
     if (asf->packet_flags & 0x01) {
         DO_2BITS(asf->packet_segsizetype >> 6, asf->packet_frag_size, 0); // 0 is illegal
         if(asf->packet_frag_size > asf->packet_size_left - rsize){
-            av_log(s, AV_LOG_ERROR, "packet_frag_size is invalid\n");
-            return -1;
+            if (asf->packet_frag_size > asf->packet_size_left - rsize + asf->packet_padsize) {
+                av_log(s, AV_LOG_ERROR, "packet_frag_size is invalid (%d-%d)\n", asf->packet_size_left, rsize);
+                return -1;
+            } else {
+                int diff = asf->packet_frag_size - (asf->packet_size_left - rsize);
+                asf->packet_size_left += diff;
+                asf->packet_padsize   -= diff;
+            }
         }
         //printf("Fragsize %d\n", asf->packet_frag_size);
     } else {