From 2aec600ae7af7d46a4877b5ccc263b39f05a91cb Mon Sep 17 00:00:00 2001
From: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Date: Wed, 6 Jan 2016 07:32:25 +0100
Subject: asfdec: reject size > INT64_MAX in asf_read_unknown
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Both avio_skip and detect_unknown_subobject use int64_t for the size
parameter.

This fixes a segmentation fault due to infinite recursion.

Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Signed-off-by: Alexandra Hájková <alexandra.khirnova@gmail.com>
Signed-off-by: Anton Khirnov <anton@khirnov.net>
---
 libavformat/asfdec.c | 3 +++
 1 file changed, 3 insertions(+)

(limited to 'libavformat/asfdec.c')

diff --git a/libavformat/asfdec.c b/libavformat/asfdec.c
index 58480dc36a..4fc0e3dbb0 100644
--- a/libavformat/asfdec.c
+++ b/libavformat/asfdec.c
@@ -178,6 +178,9 @@ static int asf_read_unknown(AVFormatContext *s, const GUIDParseTable *g)
     uint64_t size   = avio_rl64(pb);
     int ret;
 
+    if (size > INT64_MAX)
+        return AVERROR_INVALIDDATA;
+
     if (asf->is_header)
         asf->unknown_size = size;
     asf->is_header = 0;
-- 
cgit v1.2.3