asfdec_o: check for too small size in asf_read_unknown
authorAndreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Wed, 6 Jan 2016 18:21:49 +0000 (19:21 +0100)
committerAndreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Wed, 27 Jan 2016 22:45:45 +0000 (23:45 +0100)
This fixes infinite loops due to seeking back.

Reviewed-by: Alexandra Hájková <alexandra.khirnova@gmail.com>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit c29e87ad55a2be29cc8ac5c0e047512c1f5d34d4)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
libavformat/asfdec_o.c

index f8e5e1e..d8c4869 100644 (file)
@@ -190,8 +190,13 @@ static int asf_read_unknown(AVFormatContext *s, const GUIDParseTable *g)
         if ((ret = detect_unknown_subobject(s, asf->unknown_offset,
                                             asf->unknown_size)) < 0)
             return ret;
-    } else
+    } else {
+        if (size < 24) {
+            av_log(s, AV_LOG_ERROR, "Too small size %"PRIu64" (< 24).\n", size);
+            return AVERROR_INVALIDDATA;
+        }
         avio_skip(pb, size - 24);
+    }
 
     return 0;
 }