Message ID | 20170824231532.16002-5-michael@niedermayer.cc |
---|---|
State | Superseded |
Headers | show |
On 8/25/17, Michael Niedermayer <michael@niedermayer.cc> wrote: > From: ****** and *********(******) <tony.sh and wangchu.zhl@alibaba-inc.com> > > Fixes: loop.asf > > Found-by: Xiaohei and Wangchu from Alibaba Security Team > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> > --- > libavformat/asfdec_f.c | 9 ++++++++- > 1 file changed, 8 insertions(+), 1 deletion(-) > > diff --git a/libavformat/asfdec_f.c b/libavformat/asfdec_f.c > index be09a92bd1..00dd5ec41d 100644 > --- a/libavformat/asfdec_f.c > +++ b/libavformat/asfdec_f.c > @@ -749,13 +749,20 @@ static int asf_read_marker(AVFormatContext *s, int64_t > size) > count = avio_rl32(pb); // markers count > avio_rl16(pb); // reserved 2 bytes > name_len = avio_rl16(pb); // name length > - for (i = 0; i < name_len; i++) > + for (i = 0; i < name_len; i++) { > + if (avio_feof(pb)) > + return AVERROR_INVALIDDATA; > avio_r8(pb); // skip the name This is very slow way to skip something. > + } > + > > for (i = 0; i < count; i++) { > int64_t pres_time; > int name_len; > > + if (avio_feof(pb)) > + return AVERROR_INVALIDDATA; > + > avio_rl64(pb); // offset, 8 bytes > pres_time = avio_rl64(pb); // presentation time > pres_time -= asf->hdr.preroll * 10000; > -- > 2.14.1 > > _______________________________________________ > ffmpeg-devel mailing list > ffmpeg-devel@ffmpeg.org > http://ffmpeg.org/mailman/listinfo/ffmpeg-devel >
On Fri, Aug 25, 2017 at 08:52:22AM +0200, Paul B Mahol wrote: > On 8/25/17, Michael Niedermayer <michael@niedermayer.cc> wrote: > > From: ****** and *********(******) <tony.sh and wangchu.zhl@alibaba-inc.com> > > > > Fixes: loop.asf > > > > Found-by: Xiaohei and Wangchu from Alibaba Security Team > > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> > > --- > > libavformat/asfdec_f.c | 9 ++++++++- > > 1 file changed, 8 insertions(+), 1 deletion(-) > > > > diff --git a/libavformat/asfdec_f.c b/libavformat/asfdec_f.c > > index be09a92bd1..00dd5ec41d 100644 > > --- a/libavformat/asfdec_f.c > > +++ b/libavformat/asfdec_f.c > > @@ -749,13 +749,20 @@ static int asf_read_marker(AVFormatContext *s, int64_t > > size) > > count = avio_rl32(pb); // markers count > > avio_rl16(pb); // reserved 2 bytes > > name_len = avio_rl16(pb); // name length > > - for (i = 0; i < name_len; i++) > > + for (i = 0; i < name_len; i++) { > > + if (avio_feof(pb)) > > + return AVERROR_INVALIDDATA; > > avio_r8(pb); // skip the name > > This is very slow way to skip something. yes, you are correct, i will fix that and resubmit thx [...]
diff --git a/libavformat/asfdec_f.c b/libavformat/asfdec_f.c index be09a92bd1..00dd5ec41d 100644 --- a/libavformat/asfdec_f.c +++ b/libavformat/asfdec_f.c @@ -749,13 +749,20 @@ static int asf_read_marker(AVFormatContext *s, int64_t size) count = avio_rl32(pb); // markers count avio_rl16(pb); // reserved 2 bytes name_len = avio_rl16(pb); // name length - for (i = 0; i < name_len; i++) + for (i = 0; i < name_len; i++) { + if (avio_feof(pb)) + return AVERROR_INVALIDDATA; avio_r8(pb); // skip the name + } + for (i = 0; i < count; i++) { int64_t pres_time; int name_len; + if (avio_feof(pb)) + return AVERROR_INVALIDDATA; + avio_rl64(pb); // offset, 8 bytes pres_time = avio_rl64(pb); // presentation time pres_time -= asf->hdr.preroll * 10000;