From 75282a6a83d42f6f1f5d579b748ddf317c2645bd Mon Sep 17 00:00:00 2001
From: reimar <reimar@b3059339-0415-0410-9bf9-f77b7e298cf2>
Date: Sun, 21 Jan 2007 18:22:07 +0000
Subject: [PATCH] Sanity-check sh_video->bih->biSize

git-svn-id: svn://svn.mplayerhq.hu/mplayer/trunk@21985 b3059339-0415-0410-9bf9-f77b7e298cf2
---
 libmpdemux/asfheader.c | 2 ++
 libmpdemux/aviheader.c | 2 ++
 2 files changed, 4 insertions(+)

diff --git a/libmpdemux/asfheader.c b/libmpdemux/asfheader.c
index 8d5178070a..3690ba1936 100644
--- a/libmpdemux/asfheader.c
+++ b/libmpdemux/asfheader.c
@@ -420,6 +420,8 @@ int read_asf_header(demuxer_t *demuxer,struct asf_priv* asf){
         sh_video->bih=calloc((len<sizeof(BITMAPINFOHEADER))?sizeof(BITMAPINFOHEADER):len,1);
         memcpy(sh_video->bih,&buffer[4+4+1+2],len);
 	le2me_BITMAPINFOHEADER(sh_video->bih);
+	if (sh_video->bih->biSize > len && sh_video->bih->biSize > sizeof(BITMAPINFOHEADER))
+		sh_video->bih->biSize = len;
         if (sh_video->bih->biCompression == mmioFOURCC('D', 'V', 'R', ' ')) {
           //mp_msg(MSGT_DEMUXER, MSGL_WARN, MSGTR_MPDEMUX_ASFHDR_DVRWantsLibavformat);
           //sh_video->fps=(float)sh_video->video.dwRate/(float)sh_video->video.dwScale;
diff --git a/libmpdemux/aviheader.c b/libmpdemux/aviheader.c
index 0cb6ee5a55..60984e6f06 100644
--- a/libmpdemux/aviheader.c
+++ b/libmpdemux/aviheader.c
@@ -262,6 +262,8 @@ while(1){
         mp_msg(MSGT_HEADER,MSGL_V,MSGTR_MPDEMUX_AVIHDR_FoundBitmapInfoHeader,chunksize,sizeof(BITMAPINFOHEADER));
         stream_read(demuxer->stream,(char*) sh_video->bih,chunksize);
 	le2me_BITMAPINFOHEADER(sh_video->bih);  // swap to machine endian
+	if (sh_video->bih->biSize > chunksize && sh_video->bih->biSize > sizeof(BITMAPINFOHEADER))
+		sh_video->bih->biSize = chunksize;
 	// fixup MS-RLE header (seems to be broken for <256 color files)
 	if(sh_video->bih->biCompression<=1 && sh_video->bih->biSize==40)
 	    sh_video->bih->biSize=chunksize;