asfdec: Check packet_replic_size earlier
authorMichael Niedermayer <michaelni@gmx.at>
Mon, 31 Oct 2011 21:42:45 +0000 (22:42 +0100)
committerMichael Niedermayer <michaelni@gmx.at>
Fri, 4 Nov 2011 12:32:50 +0000 (13:32 +0100)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 60fcc19bff49e0b1972eae014afc087afd94a415)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
libavformat/asfdec.c

index 033bded..be8885d 100644 (file)
@@ -808,6 +808,10 @@ static int asf_read_frame_header(AVFormatContext *s, AVIOContext *pb){
     DO_2BITS(asf->packet_property >> 2, asf->packet_frag_offset, 0);
     DO_2BITS(asf->packet_property, asf->packet_replic_size, 0);
 //printf("key:%d stream:%d seq:%d offset:%d replic_size:%d\n", asf->packet_key_frame, asf->stream_index, asf->packet_seq, //asf->packet_frag_offset, asf->packet_replic_size);
+    if (rsize+asf->packet_replic_size > asf->packet_size_left) {
+        av_log(s, AV_LOG_ERROR, "packet_replic_size %d is invalid\n", asf->packet_replic_size);
+        return -1;
+    }
     if (asf->packet_replic_size >= 8) {
         asf->packet_obj_size = avio_rl32(pb);
         if(asf->packet_obj_size >= (1<<24) || asf->packet_obj_size <= 0){
@@ -842,10 +846,6 @@ static int asf_read_frame_header(AVFormatContext *s, AVIOContext *pb){
         av_log(s, AV_LOG_ERROR, "unexpected packet_replic_size of %d\n", asf->packet_replic_size);
         return -1;
     }
-    if (rsize > asf->packet_size_left) {
-        av_log(s, AV_LOG_ERROR, "packet_replic_size is invalid\n");
-        return -1;
-    }
     if (asf->packet_flags & 0x01) {
         DO_2BITS(asf->packet_segsizetype >> 6, asf->packet_frag_size, 0); // 0 is illegal
         if (rsize > asf->packet_size_left) {