Revision 74d6871d libavformat/mms.c

View differences:

libavformat/mms.c
115 115
                       "Corrupt stream (too many A/V streams)\n");
116 116
                return AVERROR_INVALIDDATA;
117 117
            }
118
        } else if (!memcmp(p, ff_asf_ext_stream_header, sizeof(ff_asf_guid))) {
119
            if (end - p >= 88) {
120
                int stream_count = AV_RL16(p + 84), ext_len_count = AV_RL16(p + 86);
121
                uint64_t skip_bytes = 88;
122
                while (stream_count--) {
123
                    if (end - p < skip_bytes + 4) {
124
                        av_log(NULL, AV_LOG_ERROR,
125
                               "Corrupt stream (next stream name length is not in the buffer)\n");
126
                        return AVERROR_INVALIDDATA;
127
                    }
128
                    skip_bytes += 4 + AV_RL16(p + skip_bytes + 2);
129
                }
130
                while (ext_len_count--) {
131
                    if (end - p < skip_bytes + 22) {
132
                        av_log(NULL, AV_LOG_ERROR,
133
                               "Corrupt stream (next extension system info length is not in the buffer)\n");
134
                        return AVERROR_INVALIDDATA;
135
                    }
136
                    skip_bytes += 22 + AV_RL32(p + skip_bytes + 18);
137
                }
138
                if (end - p < skip_bytes) {
139
                    av_log(NULL, AV_LOG_ERROR,
140
                           "Corrupt stream (the last extension system info length is invalid)\n");
141
                    return AVERROR_INVALIDDATA;
142
                }
143
                if (chunksize - skip_bytes > 24)
144
                    chunksize = skip_bytes;
145
            }
118 146
        } else if (!memcmp(p, ff_asf_head1_guid, sizeof(ff_asf_guid))) {
119 147
            chunksize = 46; // see references [2] section 3.4. This should be set 46.
120 148
        }

Also available in: Unified diff