avformat/rtpdec_asf: Fix potential pointer overflow

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
author: Michael Niedermayer <michaelni@gmx.at> 2015-04-12 17:41:23 +0200
committer: Michael Niedermayer <michaelni@gmx.at> 2015-04-12 17:41:23 +0200
commit: 445a02b1ec5ea94d28ea2503a3ae0272fcff0e12 (patch)
tree: e43b869c21d0b0af38b97db07e839526600c96f7 /libavformat/rtpdec_asf.c
parent: 870ec3f69e04e04d1efd33bd7e8cc439de1f766e (diff)
download: ffmpeg-445a02b1ec5ea94d28ea2503a3ae0272fcff0e12.tar.gz
1 files changed, 5 insertions, 2 deletions
diff --git a/libavformat/rtpdec_asf.c b/libavformat/rtpdec_asf.c
index e8377b9389..066bb0ed37 100644
--- a/libavformat/rtpdec_asf.c
+++ b/libavformat/rtpdec_asf.c
@@ -54,6 +54,7 @@ static int rtp_asf_fix_header(uint8_t *buf, int len)
     p += sizeof(ff_asf_guid) + 14;
     do {
         uint64_t chunksize = AV_RL64(p + sizeof(ff_asf_guid));
+        int skip = 6 * 8 + 3 * 4 + sizeof(ff_asf_guid) * 2;
         if (memcmp(p, ff_asf_file_header, sizeof(ff_asf_guid))) {
             if (chunksize > end - p)
                 return -1;
@@ -61,9 +62,11 @@ static int rtp_asf_fix_header(uint8_t *buf, int len)
             continue;
         }
 
+        if (end - p < 8 + skip)
+            break;
         /* skip most of the file header, to min_pktsize */
-        p += 6 * 8 + 3 * 4 + sizeof(ff_asf_guid) * 2;
-        if (p + 8 <= end && AV_RL32(p) == AV_RL32(p + 4)) {
+        p += skip;
+        if (AV_RL32(p) == AV_RL32(p + 4)) {
             /* and set that to zero */
             AV_WL32(p, 0);
             return 0;
author	Michael Niedermayer <michaelni@gmx.at>	2015-04-12 17:41:23 +0200
committer	Michael Niedermayer <michaelni@gmx.at>	2015-04-12 17:41:23 +0200
commit	445a02b1ec5ea94d28ea2503a3ae0272fcff0e12 (patch)
tree	e43b869c21d0b0af38b97db07e839526600c96f7 /libavformat/rtpdec_asf.c
parent	870ec3f69e04e04d1efd33bd7e8cc439de1f766e (diff)
download	ffmpeg-445a02b1ec5ea94d28ea2503a3ae0272fcff0e12.tar.gz