From 445a02b1ec5ea94d28ea2503a3ae0272fcff0e12 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michaelni@gmx.at>
Date: Sun, 12 Apr 2015 17:41:23 +0200
Subject: [PATCH] avformat/rtpdec_asf: Fix potential pointer overflow

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
---
 libavformat/rtpdec_asf.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/libavformat/rtpdec_asf.c b/libavformat/rtpdec_asf.c
index e8377b9389..066bb0ed37 100644
--- a/libavformat/rtpdec_asf.c
+++ b/libavformat/rtpdec_asf.c
@@ -54,6 +54,7 @@ static int rtp_asf_fix_header(uint8_t *buf, int len)
     p += sizeof(ff_asf_guid) + 14;
     do {
         uint64_t chunksize = AV_RL64(p + sizeof(ff_asf_guid));
+        int skip = 6 * 8 + 3 * 4 + sizeof(ff_asf_guid) * 2;
         if (memcmp(p, ff_asf_file_header, sizeof(ff_asf_guid))) {
             if (chunksize > end - p)
                 return -1;
@@ -61,9 +62,11 @@ static int rtp_asf_fix_header(uint8_t *buf, int len)
             continue;
         }
 
+        if (end - p < 8 + skip)
+            break;
         /* skip most of the file header, to min_pktsize */
-        p += 6 * 8 + 3 * 4 + sizeof(ff_asf_guid) * 2;
-        if (p + 8 <= end && AV_RL32(p) == AV_RL32(p + 4)) {
+        p += skip;
+        if (AV_RL32(p) == AV_RL32(p + 4)) {
             /* and set that to zero */
             AV_WL32(p, 0);
             return 0;