demux_asf: add sanity check

Check that rlen is valid before using it to increment a pointer. git-svn-id: svn://svn.mplayerhq.hu/mplayer/trunk@32832 b3059339-0415-0410-9bf9-f77b7e298cf2
author: reimar <reimar@b3059339-0415-0410-9bf9-f77b7e298cf2> 2011-01-30 10:38:10 +0000
committer: Uoti Urpala <uau@glyph.nonexistent.invalid> 2011-02-15 18:47:03 +0200
commit: 851bb3ce825a250b257c174eae334e239c431eb2 (patch)
tree: 72c7c893633d4f9fec26bb2c7a33019606fce5e2
parent: 179cb785e98ba980d0c64fc16922122d427c1554 (diff)
download: mpv-851bb3ce825a250b257c174eae334e239c431eb2.tar.bz2
mpv-851bb3ce825a250b257c174eae334e239c431eb2.tar.xz
1 files changed, 4 insertions, 0 deletions
diff --git a/libmpdemux/demux_asf.c b/libmpdemux/demux_asf.c
index ffbbe0305f..aef2f5ece0 100644
--- a/libmpdemux/demux_asf.c
+++ b/libmpdemux/demux_asf.c
@@ -468,6 +468,10 @@ static int demux_asf_fill_buffer(demuxer_t *demux, demux_stream_t *ds){
 	      rlen = read_varlen(&p, segtype, 0);
 
 //	      printf("### rlen=%d   \n",rlen);
+              if (rlen < 0 || rlen > p_end - p) {
+                mp_msg(MSGT_DEMUX, MSGL_V, "invalid rlen=%d\n", rlen);
+                break;
+              }
 
               switch(rlen){
               case 0x01: // 1 = special, means grouping
author	reimar <reimar@b3059339-0415-0410-9bf9-f77b7e298cf2>	2011-01-30 10:38:10 +0000
committer	Uoti Urpala <uau@glyph.nonexistent.invalid>	2011-02-15 18:47:03 +0200
commit	851bb3ce825a250b257c174eae334e239c431eb2 (patch)
tree	72c7c893633d4f9fec26bb2c7a33019606fce5e2
parent	179cb785e98ba980d0c64fc16922122d427c1554 (diff)
download	mpv-851bb3ce825a250b257c174eae334e239c431eb2.tar.bz2 mpv-851bb3ce825a250b257c174eae334e239c431eb2.tar.xz