From 30cdfb49b45e1802baabc3b4008a0eba03c29cfe Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?M=C3=A5ns=20Rullg=C3=A5rd?= <mans@mansr.com>
Date: Thu, 24 Jun 2010 15:10:06 +0000
Subject: [PATCH] asfdec: ensure number of streams is within bounds; remove VLA
 in asf_read_pts()

Originally committed as revision 23756 to svn://svn.ffmpeg.org/ffmpeg/trunk
---
 libavformat/asfdec.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/libavformat/asfdec.c b/libavformat/asfdec.c
index eb141468292..297383f64db 100644
--- a/libavformat/asfdec.c
+++ b/libavformat/asfdec.c
@@ -35,6 +35,7 @@ void ff_mms_set_stream_selection(URLContext *h, AVFormatContext *format);
 #undef NDEBUG
 #include <assert.h>
 
+#define ASF_MAX_STREAMS 127
 #define FRAME_HEADER_SIZE 17
 // Fix Me! FRAME_HEADER_SIZE may be different.
 
@@ -244,6 +245,11 @@ static int asf_read_header(AVFormatContext *s, AVFormatParameters *ap)
             int64_t pos1, pos2, start_time;
             int test_for_ext_stream_audio, is_dvr_ms_audio=0;
 
+            if (s->nb_streams == ASF_MAX_STREAMS) {
+                av_log(s, AV_LOG_ERROR, "too many streams\n");
+                return AVERROR(EINVAL);
+            }
+
             pos1 = url_ftell(pb);
 
             st = av_new_stream(s, 0);
@@ -1053,7 +1059,7 @@ static int64_t asf_read_pts(AVFormatContext *s, int stream_index, int64_t *ppos,
     int64_t pts;
     int64_t pos= *ppos;
     int i;
-    int64_t start_pos[s->nb_streams];
+    int64_t start_pos[ASF_MAX_STREAMS];
 
     for(i=0; i<s->nb_streams; i++){
         start_pos[i]= pos;
-- 
GitLab