On Thu, Jun 25, 2015 at 11:46:41PM +0200, Andreas Cadhalpun wrote: > Otherwise sm_size can be larger than size, which results in a negative > packet size. > > Signed-off-by: Andreas Cadhalpun <andreas.cadhal...@googlemail.com> > --- > libavformat/nutdec.c | 7 ++++++- > 1 file changed, 6 insertions(+), 1 deletion(-)
> > diff --git a/libavformat/nutdec.c b/libavformat/nutdec.c > index 13fb399..43bd27b 100644 > --- a/libavformat/nutdec.c > +++ b/libavformat/nutdec.c > @@ -888,7 +888,7 @@ fail: > > static int read_sm_data(AVFormatContext *s, AVIOContext *bc, AVPacket *pkt, > int is_meta, int64_t maxpos) > { > - int count = ffio_read_varlen(bc); > + int count; > int skip_start = 0; > int skip_end = 0; > int channels = 0; > @@ -898,6 +898,11 @@ static int read_sm_data(AVFormatContext *s, AVIOContext > *bc, AVPacket *pkt, int > int height = 0; > int i, ret; > > + if (avio_tell(bc) >= maxpos) > + return AVERROR_INVALIDDATA; > + > + count = ffio_read_varlen(bc); ffio_read_varlen() could move the position beyond maxpos yet return 0 so the loop with teh checks inside is skiped [...] -- Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB Breaking DRM is a little like attempting to break through a door even though the window is wide open and the only thing in the house is a bunch of things you dont want and which you would get tomorrow for free anyway
signature.asc
Description: Digital signature
_______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-devel