1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
|
--- libavformat/swfdec.c.orig 2012-10-02 14:58:19.000000000 +0200
+++ libavformat/swfdec.c 2012-12-12 12:17:34.480049142 +0100
@@ -151,7 +151,11 @@
uint64_t pos = avio_tell(pb);
tag = get_swf_tag(pb, &len);
if (tag < 0)
- return tag;
+ return AVERROR(EIO);
+ if (len < 0) {
+ av_log(s, AV_LOG_ERROR, "invalid tag length: %d\n", len);
+ return AVERROR_INVALIDDATA;
+ }
if (tag == TAG_VIDEOSTREAM) {
int ch_id = avio_rl16(pb);
len -= 2;
@@ -207,7 +211,10 @@
st = s->streams[i];
if (st->codec->codec_type == AVMEDIA_TYPE_VIDEO && st->id == ch_id) {
frame = avio_rl16(pb);
- if ((res = av_get_packet(pb, pkt, len-2)) < 0)
+ len -= 2;
+ if (len <= 0)
+ goto skip;
+ if ((res = av_get_packet(pb, pkt, len)) < 0)
return res;
pkt->pos = pos;
pkt->pts = frame;
@@ -219,17 +226,22 @@
for (i = 0; i < s->nb_streams; i++) {
st = s->streams[i];
if (st->codec->codec_type == AVMEDIA_TYPE_AUDIO && st->id == -1) {
- if (st->codec->codec_id == AV_CODEC_ID_MP3) {
- avio_skip(pb, 4);
- if ((res = av_get_packet(pb, pkt, len-4)) < 0)
- return res;
- } else { // ADPCM, PCM
- if ((res = av_get_packet(pb, pkt, len)) < 0)
- return res;
- }
- pkt->pos = pos;
- pkt->stream_index = st->index;
- return pkt->size;
+ if (st->codec->codec_id == AV_CODEC_ID_MP3) {
+ avio_skip(pb, 4);
+ len -= 4;
+ if (len <= 0)
+ goto skip;
+ if ((res = av_get_packet(pb, pkt, len)) < 0)
+ return res;
+ } else { // ADPCM, PCM
+ if (len <= 0)
+ goto skip;
+ if ((res = av_get_packet(pb, pkt, len)) < 0)
+ return res;
+ }
+ pkt->pos = pos;
+ pkt->stream_index = st->index;
+ return pkt->size;
}
}
} else if (tag == TAG_JPEG2) {
@@ -249,7 +261,10 @@
st = vst;
}
avio_rl16(pb); /* BITMAP_ID */
- if ((res = av_new_packet(pkt, len-2)) < 0)
+ len -= 2;
+ if (len < 4)
+ goto skip;
+ if ((res = av_new_packet(pkt, len)) < 0)
return res;
avio_read(pb, pkt->data, 4);
if (AV_RB32(pkt->data) == 0xffd8ffd9 ||
@@ -266,6 +281,7 @@
return pkt->size;
}
skip:
+ len = FFMAX(0, len);
avio_skip(pb, len);
}
}
|