diff options
author | Uoti Urpala <uau@mplayer2.org> | 2012-10-29 19:58:35 +0200 |
---|---|---|
committer | wm4 <wm4@nowhere> | 2012-11-01 02:12:17 +0100 |
commit | 02daf37328c57ab12bd086a0d4ce91a5f6d70a97 (patch) | |
tree | a8d09632c9446409241aac867d360798992c4dc8 /libmpdemux/ebml.c | |
parent | c5eeac66544d6405701f3ffd1134964fbbf8ed51 (diff) | |
download | mpv-02daf37328c57ab12bd086a0d4ce91a5f6d70a97.tar.bz2 mpv-02daf37328c57ab12bd086a0d4ce91a5f6d70a97.tar.xz |
demux_mkv: fix a hang with invalid files
ebml_read_length() could return a negative value (as uint64_t though)
at EOF, and this would then make ebml_read_skip() seek backwards. This
could lead to an infinite loop at EOF with corrupt files. Add an extra
check to make ebml_read_length() return EBML_UINT_INVALID instead if
EOF is hit in the middle of parsing.
Diffstat (limited to 'libmpdemux/ebml.c')
-rw-r--r-- | libmpdemux/ebml.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/libmpdemux/ebml.c b/libmpdemux/ebml.c index 9bce3b5182..fba8177805 100644 --- a/libmpdemux/ebml.c +++ b/libmpdemux/ebml.c @@ -130,6 +130,8 @@ uint64_t ebml_read_length(stream_t *s, int *length) } if (j == num_ffs) return EBML_UINT_INVALID; + if (len >= 1ULL<<63) // Can happen if stream_read_char returns EOF + return EBML_UINT_INVALID; return len; } |