check fragment offset and size

yes this too could have been exploitable ... Originally committed as revision 7650 to svn://svn.ffmpeg.org/ffmpeg/trunk
author: Michael Niedermayer <michaelni@gmx.at> 2007-01-22 16:37:45 +0000
committer: Michael Niedermayer <michaelni@gmx.at> 2007-01-22 16:37:45 +0000
commit: 4c71d7270104ce148faa2e44237450a9d303de96 (patch)
tree: bf1e4546fc042513014aa09ab9a444136eea6068 /libavformat/asf.c
parent: ae60a8578080a934592503a07dd1aa31b427f6e7 (diff)
1 files changed, 8 insertions, 0 deletions
diff --git a/libavformat/asf.c b/libavformat/asf.c
index fc3a7dead8..ef7ae5e6ea 100644
--- a/libavformat/asf.c
+++ b/libavformat/asf.c
@@ -703,6 +703,14 @@ static int asf_read_packet(AVFormatContext *s, AVPacket *pkt)
         asf->packet_size_left -= asf->packet_frag_size;
         if (asf->packet_size_left < 0)
             continue;
+
+        if(   asf->packet_frag_offset >= asf_st->pkt.size
+           || asf->packet_frag_size > asf_st->pkt.size - asf->packet_frag_offset){
+            av_log(s, AV_LOG_ERROR, "packet fragment position invalid %u,%u not in %u\n",
+                asf->packet_frag_offset, asf->packet_frag_size, asf_st->pkt.size);
+            continue;
+        }
+
         get_buffer(pb, asf_st->pkt.data + asf->packet_frag_offset,
                    asf->packet_frag_size);
         asf_st->frag_offset += asf->packet_frag_size;
author	Michael Niedermayer <michaelni@gmx.at>	2007-01-22 16:37:45 +0000
committer	Michael Niedermayer <michaelni@gmx.at>	2007-01-22 16:37:45 +0000
commit	4c71d7270104ce148faa2e44237450a9d303de96 (patch)
tree	bf1e4546fc042513014aa09ab9a444136eea6068 /libavformat/asf.c
parent	ae60a8578080a934592503a07dd1aa31b427f6e7 (diff)