summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorUoti Urpala <uau@mplayer2.org>2012-10-29 19:58:35 +0200
committerwm4 <wm4@nowhere>2012-11-01 02:12:17 +0100
commit02daf37328c57ab12bd086a0d4ce91a5f6d70a97 (patch)
treea8d09632c9446409241aac867d360798992c4dc8
parentc5eeac66544d6405701f3ffd1134964fbbf8ed51 (diff)
downloadmpv-02daf37328c57ab12bd086a0d4ce91a5f6d70a97.tar.bz2
mpv-02daf37328c57ab12bd086a0d4ce91a5f6d70a97.tar.xz
demux_mkv: fix a hang with invalid files
ebml_read_length() could return a negative value (as uint64_t though) at EOF, and this would then make ebml_read_skip() seek backwards. This could lead to an infinite loop at EOF with corrupt files. Add an extra check to make ebml_read_length() return EBML_UINT_INVALID instead if EOF is hit in the middle of parsing.
-rw-r--r--libmpdemux/ebml.c2
1 files changed, 2 insertions, 0 deletions
diff --git a/libmpdemux/ebml.c b/libmpdemux/ebml.c
index 9bce3b5182..fba8177805 100644
--- a/libmpdemux/ebml.c
+++ b/libmpdemux/ebml.c
@@ -130,6 +130,8 @@ uint64_t ebml_read_length(stream_t *s, int *length)
}
if (j == num_ffs)
return EBML_UINT_INVALID;
+ if (len >= 1ULL<<63) // Can happen if stream_read_char returns EOF
+ return EBML_UINT_INVALID;
return len;
}