From 668c873bedfe9cf415153c3126c8e75d4ec712aa Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 4 Aug 2012 02:27:51 +0200 Subject: [PATCH] matroskadec: check element size against stream limit in ebml_parse_elem() Fixes Ticket1195 Signed-off-by: Michael Niedermayer --- libavformat/matroskadec.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index f75763284b..2c954afa05 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -945,7 +945,10 @@ static int ebml_parse_elem(MatroskaDemuxContext *matroska, return ebml_parse_nest(matroska, syntax->def.n, data); case EBML_PASS: return ebml_parse_id(matroska, syntax->def.n, id, data); case EBML_STOP: return 1; - default: return avio_skip(pb,length)<0 ? AVERROR(EIO) : 0; + default: + if(ffio_limit(pb, length) != length) + return AVERROR(EIO); + return avio_skip(pb,length)<0 ? AVERROR(EIO) : 0; } if (res == AVERROR_INVALIDDATA) av_log(matroska->ctx, AV_LOG_ERROR, "Invalid element\n");