From: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Date: Wed, 6 Jan 2016 06:32:25 +0000 (+0100)
Subject: asfdec: reject size > INT64_MAX in asf_read_unknown
X-Git-Tag: android-x86-7.1-r1~252^2~1624
X-Git-Url: http://git.osdn.net/view?a=commitdiff_plain;h=2aec600ae7af7d46a4877b5ccc263b39f05a91cb;p=android-x86%2Fexternal-ffmpeg.git

asfdec: reject size > INT64_MAX in asf_read_unknown

Both avio_skip and detect_unknown_subobject use int64_t for the size
parameter.

This fixes a segmentation fault due to infinite recursion.

Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Signed-off-by: Alexandra Hájková <alexandra.khirnova@gmail.com>
Signed-off-by: Anton Khirnov <anton@khirnov.net>
---

diff --git a/libavformat/asfdec.c b/libavformat/asfdec.c
index 58480dc36a..4fc0e3dbb0 100644
--- a/libavformat/asfdec.c
+++ b/libavformat/asfdec.c
@@ -178,6 +178,9 @@ static int asf_read_unknown(AVFormatContext *s, const GUIDParseTable *g)
     uint64_t size   = avio_rl64(pb);
     int ret;
 
+    if (size > INT64_MAX)
+        return AVERROR_INVALIDDATA;
+
     if (asf->is_header)
         asf->unknown_size = size;
     asf->is_header = 0;