Skip to content
Snippets Groups Projects
Commit 0ebb523f authored by Janne Grunau's avatar Janne Grunau
Browse files

asfdec: check ff_get_guid() return values during seeking 

Hitting EOF during seeking is quite likely. Fixes use of uninitialized
data during fate-seek-lavf-asf.
parent 462d5e8e
Branches
Tags
No related merge requests found
Hide whitespace changes
Inline Side-by-side
Showing
with 16 additions and 10 deletions
libavformat/asfdec.c
+ 16
10
View file @ 0ebb523f
...@@ -1387,33 +1387,35 @@ static int64_t asf_read_pts(AVFormatContext *s, int stream_index, ...@@ -1387,33 +1387,35 @@ static int64_t asf_read_pts(AVFormatContext *s, int stream_index,
return pts; return pts;
} }
static void asf_build_simple_index(AVFormatContext *s, int stream_index) static int asf_build_simple_index(AVFormatContext *s, int stream_index)
{ {
ff_asf_guid g; ff_asf_guid g;
ASFContext *asf = s->priv_data; ASFContext *asf = s->priv_data;
int64_t current_pos = avio_tell(s->pb); int64_t current_pos = avio_tell(s->pb);
int i; int i, ret = 0;
avio_seek(s->pb, asf->data_object_offset + asf->data_object_size, SEEK_SET); avio_seek(s->pb, asf->data_object_offset + asf->data_object_size, SEEK_SET);
ff_get_guid(s->pb, &g); if ((ret = ff_get_guid(s->pb, &g)) < 0)
goto end;
/* the data object can be followed by other top-level objects, /* the data object can be followed by other top-level objects,
* skip them until the simple index object is reached */ * skip them until the simple index object is reached */
while (ff_guidcmp(&g, &index_guid)) { while (ff_guidcmp(&g, &index_guid)) {
int64_t gsize = avio_rl64(s->pb); int64_t gsize = avio_rl64(s->pb);
if (gsize < 24 || s->pb->eof_reached) { if (gsize < 24 || s->pb->eof_reached) {
avio_seek(s->pb, current_pos, SEEK_SET); goto end;
return;
} }
avio_skip(s->pb, gsize - 24); avio_skip(s->pb, gsize - 24);
ff_get_guid(s->pb, &g); if ((ret = ff_get_guid(s->pb, &g)) < 0)
goto end;
} }
{ {
int64_t itime, last_pos = -1; int64_t itime, last_pos = -1;
int pct, ict; int pct, ict;
int64_t av_unused gsize = avio_rl64(s->pb); int64_t av_unused gsize = avio_rl64(s->pb);
ff_get_guid(s->pb, &g); if ((ret = ff_get_guid(s->pb, &g)) < 0)
goto end;
itime = avio_rl64(s->pb); itime = avio_rl64(s->pb);
pct = avio_rl32(s->pb); pct = avio_rl32(s->pb);
ict = avio_rl32(s->pb); ict = avio_rl32(s->pb);
...@@ -1436,7 +1438,11 @@ static void asf_build_simple_index(AVFormatContext *s, int stream_index) ...@@ -1436,7 +1438,11 @@ static void asf_build_simple_index(AVFormatContext *s, int stream_index)
} }
asf->index_read = ict > 0; asf->index_read = ict > 0;
} }
end:
if (s->pb->eof_reached)
ret = 0;
avio_seek(s->pb, current_pos, SEEK_SET); avio_seek(s->pb, current_pos, SEEK_SET);
return ret;
} }
static int asf_read_seek(AVFormatContext *s, int stream_index, static int asf_read_seek(AVFormatContext *s, int stream_index,
...@@ -1445,7 +1451,7 @@ static int asf_read_seek(AVFormatContext *s, int stream_index, ...@@ -1445,7 +1451,7 @@ static int asf_read_seek(AVFormatContext *s, int stream_index,
ASFContext *asf = s->priv_data; ASFContext *asf = s->priv_data;
AVStream *st = s->streams[stream_index]; AVStream *st = s->streams[stream_index];
int64_t pos; int64_t pos;
int index; int index, ret = 0;
if (s->packet_size <= 0) if (s->packet_size <= 0)
return -1; return -1;
...@@ -1460,9 +1466,9 @@ static int asf_read_seek(AVFormatContext *s, int stream_index, ...@@ -1460,9 +1466,9 @@ static int asf_read_seek(AVFormatContext *s, int stream_index,
} }
if (!asf->index_read) if (!asf->index_read)
asf_build_simple_index(s, stream_index); ret = asf_build_simple_index(s, stream_index);
if ((asf->index_read && st->index_entries)) { if (!ret && asf->index_read && st->index_entries) {
index = av_index_search_timestamp(st, pts, flags); index = av_index_search_timestamp(st, pts, flags);
if (index >= 0) { if (index >= 0) {
/* find the position */ /* find the position */
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment