diff options
author | Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com> | 2015-05-20 00:34:42 +0200 |
---|---|---|
committer | Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com> | 2015-05-20 20:43:54 +0200 |
commit | bb23a15df507440deb0dcf25099d321d0f73dc28 (patch) | |
tree | 22a5ce8a76c3789abed0bdd1c6f4aaff601f3a3e /libavformat | |
parent | 265d884eb076aca31a84596a41eb8b9db96db6b4 (diff) | |
download | ffmpeg-bb23a15df507440deb0dcf25099d321d0f73dc28.tar.gz |
nutdec: abort if EOF is reached in decode_info_header/read_sm_data
These loops can take a lot of time if count is very large.
Reviewed-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Diffstat (limited to 'libavformat')
-rw-r--r-- | libavformat/nutdec.c | 16 |
1 files changed, 12 insertions, 4 deletions
diff --git a/libavformat/nutdec.c b/libavformat/nutdec.c index 8994a91826..f1cece8967 100644 --- a/libavformat/nutdec.c +++ b/libavformat/nutdec.c @@ -492,7 +492,7 @@ static int decode_info_header(NUTContext *nut) AVIOContext *bc = s->pb; uint64_t tmp, chapter_start, chapter_len; unsigned int stream_id_plus1, count; - int chapter_id, i; + int chapter_id, i, ret; int64_t value, end; char name[256], str_value[1024], type_str[256]; const char *type; @@ -534,7 +534,11 @@ static int decode_info_header(NUTContext *nut) } for (i = 0; i < count; i++) { - get_str(bc, name, sizeof(name)); + ret = get_str(bc, name, sizeof(name)); + if (ret < 0) { + av_log(s, AV_LOG_ERROR, "get_str failed while decoding info header\n"); + return ret; + } value = get_s(bc); str_value[0] = 0; @@ -852,14 +856,18 @@ static int read_sm_data(AVFormatContext *s, AVIOContext *bc, AVPacket *pkt, int int sample_rate = 0; int width = 0; int height = 0; - int i; + int i, ret; for (i=0; i<count; i++) { uint8_t name[256], str_value[256], type_str[256]; int value; if (avio_tell(bc) >= maxpos) return AVERROR_INVALIDDATA; - get_str(bc, name, sizeof(name)); + ret = get_str(bc, name, sizeof(name)); + if (ret < 0) { + av_log(s, AV_LOG_ERROR, "get_str failed while reading sm data\n"); + return ret; + } value = get_s(bc); if (value == -1) { |