From 30cdfb49b45e1802baabc3b4008a0eba03c29cfe Mon Sep 17 00:00:00 2001 From: =?utf8?q?M=C3=A5ns=20Rullg=C3=A5rd?= Date: Thu, 24 Jun 2010 15:10:06 +0000 Subject: [PATCH] asfdec: ensure number of streams is within bounds; remove VLA in asf_read_pts() Originally committed as revision 23756 to svn://svn.ffmpeg.org/ffmpeg/trunk --- libavformat/asfdec.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/libavformat/asfdec.c b/libavformat/asfdec.c index eb14146..297383f 100644 --- a/libavformat/asfdec.c +++ b/libavformat/asfdec.c @@ -35,6 +35,7 @@ void ff_mms_set_stream_selection(URLContext *h, AVFormatContext *format); #undef NDEBUG #include +#define ASF_MAX_STREAMS 127 #define FRAME_HEADER_SIZE 17 // Fix Me! FRAME_HEADER_SIZE may be different. @@ -244,6 +245,11 @@ static int asf_read_header(AVFormatContext *s, AVFormatParameters *ap) int64_t pos1, pos2, start_time; int test_for_ext_stream_audio, is_dvr_ms_audio=0; + if (s->nb_streams == ASF_MAX_STREAMS) { + av_log(s, AV_LOG_ERROR, "too many streams\n"); + return AVERROR(EINVAL); + } + pos1 = url_ftell(pb); st = av_new_stream(s, 0); @@ -1053,7 +1059,7 @@ static int64_t asf_read_pts(AVFormatContext *s, int stream_index, int64_t *ppos, int64_t pts; int64_t pos= *ppos; int i; - int64_t start_pos[s->nb_streams]; + int64_t start_pos[ASF_MAX_STREAMS]; for(i=0; inb_streams; i++){ start_pos[i]= pos; -- 2.7.4