@@ -267,12 +267,18 @@ static int get_id3_tag(AVFormatContext *s, int len)
}
int ff_asf_handle_byte_array(AVFormatContext *s, const char *name,
- int val_len)
+ uint32_t val_len)
{
+ if (val_len > INT32_MAX) {
+ av_log(s, AV_LOG_VERBOSE, "Unable to handle byte arrays > INT32_MAX in tag %s.\n", name);
+ return 1;
+ }
+
if (!strcmp(name, "WM/Picture")) // handle cover art
- return asf_read_picture(s, val_len);
+ return asf_read_picture(s, (int)val_len);
else if (!strcmp(name, "ID3")) // handle ID3 tag
- return get_id3_tag(s, val_len);
+ return get_id3_tag(s, (int)val_len);
+ av_log(s, AV_LOG_VERBOSE, "Unsupported byte array in tag %s.\n", name);
return 1;
}
@@ -111,7 +111,7 @@ extern const AVMetadataConv ff_asf_metadata_conv[];
* is unsupported by this function and 0 otherwise.
*/
int ff_asf_handle_byte_array(AVFormatContext *s, const char *name,
- int val_len);
+ uint32_t val_len);
#define ASF_PACKET_FLAG_ERROR_CORRECTION_PRESENT 0x80 //1000 0000
The spec allows attachment sizes of up to UINT32_MAX while we can handle only sizes up to INT32_MAX (in downstream code). The debug.assert in get_tag didn't really address this, and truncating the value_len in calling methods cannot be used because the length value is required in order to continue parsing. This adds a check with log message in ff_asf_handle_byte_array to handle those (rare) cases. Signed-off-by: softworkz <softworkz@hotmail.com> --- libavformat/asf.c | 12 +++++++++--- libavformat/asf.h | 2 +- 2 files changed, 10 insertions(+), 4 deletions(-)