Commit bcdc90fa authored by Filip Roséen's avatar Filip Roséen Committed by Jean-Baptiste Kempf

demux/asf: prevent integer overflow in ASF_NextObject

Before returning from ASF_NextObject, the former implementation would
simply calculate "p_obj->common.i_object_pos + p_obj->common.i_object_size",
and pass the result to stream_Seek.

Of course this is rather dangerous given that the value of ".i_object_size"
is populated by simply reading the input stream.
Signed-off-by: Jean-Baptiste Kempf's avatarJean-Baptiste Kempf <jb@videolan.org>
parent 02cd3e04
......@@ -156,6 +156,9 @@ static int ASF_NextObject( stream_t *s, asf_object_t *p_obj, uint64_t i_boundary
if( p_obj->common.i_object_size <= 0 )
return VLC_EGENERIC;
if( ( UINT64_MAX - p_obj->common.i_object_pos ) < p_obj->common.i_object_size )
return VLC_EGENERIC;
if( p_obj->common.p_father &&
p_obj->common.p_father->common.i_object_size != 0 )
{
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment