From 71bd023da5e83e3f65e068d0b12bf5b45050d2d5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andreas=20=C3=96man?= Date: Sat, 21 Oct 2006 11:17:39 +0000 Subject: [PATCH] avoid crashing when trying to parse invalid files, patch by Andreas Oman, andreas at olebyn dot nu Originally committed as revision 6752 to svn://svn.ffmpeg.org/ffmpeg/trunk --- libavformat/tiertexseq.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/libavformat/tiertexseq.c b/libavformat/tiertexseq.c index 4bd1cda06d..b1a39bf760 100644 --- a/libavformat/tiertexseq.c +++ b/libavformat/tiertexseq.c @@ -122,7 +122,7 @@ static int seq_parse_frame_data(SeqDemuxContext *seq, ByteIOContext *pb) { unsigned int offset_table[4], buffer_num[4]; TiertexSeqFrameBuffer *seq_buffer; - int i, e; + int i, e, err; seq->current_frame_offs += SEQ_FRAME_SIZE; url_fseek(pb, seq->current_frame_offs, SEEK_SET); @@ -153,13 +153,18 @@ static int seq_parse_frame_data(SeqDemuxContext *seq, ByteIOContext *pb) for (i = 0; i < 3; i++) { if (offset_table[i] != 0) { for (e = i + 1; e < 4 && offset_table[e] == 0; e++); - seq_fill_buffer(seq, pb, buffer_num[1 + i], + err = seq_fill_buffer(seq, pb, buffer_num[1 + i], offset_table[i], offset_table[e] - offset_table[i]); + if (err != 0) + return err; } } if (buffer_num[0] != 255) { + if (buffer_num[0] >= SEQ_NUM_FRAME_BUFFERS) + return AVERROR_INVALIDDATA; + seq_buffer = &seq->frame_buffers[buffer_num[0]]; seq->current_video_data_size = seq_buffer->fill_size; seq->current_video_data_ptr = seq_buffer->data;