From 4ae7d4517048fb5ba64069ad332c2a555d86a8e0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tomas=20H=C3=A4rdin?= Date: Tue, 20 Dec 2011 18:04:13 +0100 Subject: [PATCH] mxfdec: Fix infinite loop in mxf_packet_timestamps() This can happen if an index table segment has a very large IndexStartPosition. zzuf3.mxf is an example of such a file. --- libavformat/mxfdec.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index 8d60fe76f4..4a49907a69 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -1712,7 +1712,7 @@ static int mxf_read_header(AVFormatContext *s, AVFormatParameters *ap) */ static void mxf_packet_timestamps(MXFContext *mxf, AVPacket *pkt) { - int64_t next_ofs; + int64_t last_ofs = -1, next_ofs; MXFIndexTable *t = &mxf->index_tables[0]; /* this is called from the OP1a demuxing logic, which means there may be no index tables */ @@ -1724,9 +1724,17 @@ static void mxf_packet_timestamps(MXFContext *mxf, AVPacket *pkt) if (mxf_edit_unit_absolute_offset(mxf, t, mxf->current_edit_unit + 1, NULL, &next_ofs, 0) < 0) break; + if (next_ofs <= last_ofs) { + /* large next_ofs didn't change or current_edit_unit wrapped around + * this fixes the infinite loop on zzuf3.mxf */ + av_log(mxf->fc, AV_LOG_ERROR, "next_ofs didn't change. not deriving packet timestamps\n"); + return; + } + if (next_ofs > pkt->pos) break; + last_ofs = next_ofs; mxf->current_edit_unit++; }