From 851bb3ce825a250b257c174eae334e239c431eb2 Mon Sep 17 00:00:00 2001
From: reimar <reimar@b3059339-0415-0410-9bf9-f77b7e298cf2>
Date: Sun, 30 Jan 2011 10:38:10 +0000
Subject: [PATCH] demux_asf: add sanity check

Check that rlen is valid before using it to increment a pointer.

git-svn-id: svn://svn.mplayerhq.hu/mplayer/trunk@32832 b3059339-0415-0410-9bf9-f77b7e298cf2
---
 libmpdemux/demux_asf.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/libmpdemux/demux_asf.c b/libmpdemux/demux_asf.c
index ffbbe0305f..aef2f5ece0 100644
--- a/libmpdemux/demux_asf.c
+++ b/libmpdemux/demux_asf.c
@@ -468,6 +468,10 @@ static int demux_asf_fill_buffer(demuxer_t *demux, demux_stream_t *ds){
 	      rlen = read_varlen(&p, segtype, 0);
 
 //	      printf("### rlen=%d   \n",rlen);
+              if (rlen < 0 || rlen > p_end - p) {
+                mp_msg(MSGT_DEMUX, MSGL_V, "invalid rlen=%d\n", rlen);
+                break;
+              }
 
               switch(rlen){
               case 0x01: // 1 = special, means grouping