From bb23a15df507440deb0dcf25099d321d0f73dc28 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Wed, 20 May 2015 00:34:42 +0200 Subject: nutdec: abort if EOF is reached in decode_info_header/read_sm_data These loops can take a lot of time if count is very large. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun --- libavformat/nutdec.c | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) (limited to 'libavformat') diff --git a/libavformat/nutdec.c b/libavformat/nutdec.c index 8994a91826..f1cece8967 100644 --- a/libavformat/nutdec.c +++ b/libavformat/nutdec.c @@ -492,7 +492,7 @@ static int decode_info_header(NUTContext *nut) AVIOContext *bc = s->pb; uint64_t tmp, chapter_start, chapter_len; unsigned int stream_id_plus1, count; - int chapter_id, i; + int chapter_id, i, ret; int64_t value, end; char name[256], str_value[1024], type_str[256]; const char *type; @@ -534,7 +534,11 @@ static int decode_info_header(NUTContext *nut) } for (i = 0; i < count; i++) { - get_str(bc, name, sizeof(name)); + ret = get_str(bc, name, sizeof(name)); + if (ret < 0) { + av_log(s, AV_LOG_ERROR, "get_str failed while decoding info header\n"); + return ret; + } value = get_s(bc); str_value[0] = 0; @@ -852,14 +856,18 @@ static int read_sm_data(AVFormatContext *s, AVIOContext *bc, AVPacket *pkt, int int sample_rate = 0; int width = 0; int height = 0; - int i; + int i, ret; for (i=0; i= maxpos) return AVERROR_INVALIDDATA; - get_str(bc, name, sizeof(name)); + ret = get_str(bc, name, sizeof(name)); + if (ret < 0) { + av_log(s, AV_LOG_ERROR, "get_str failed while reading sm data\n"); + return ret; + } value = get_s(bc); if (value == -1) { -- cgit v1.2.3