"bad filename length, remaining directory entries ignored\n");
break;
}
+ if (dir_length == 0) {
+ av_log(s, AV_LOG_ERROR,
+ "bad dir length, remaining directory entries ignored\n");
+ break;
+ }
if (48 + (int64_t)name_size > buf_end - buf) {
av_log(s, AV_LOG_ERROR, "filename exceeds buffer size; remaining directory entries ignored\n");
break;
char description[1024];
unsigned int filesize;
AVStream *st;
- int ret;
int64_t pos = avio_tell(pb);
avio_get_str16le(pb, INT_MAX, mime, sizeof(mime));
if (!filesize)
goto done;
- st = avformat_new_stream(s, NULL);
- if (!st)
+ if (ff_add_attached_pic(s, NULL, pb, NULL, filesize) < 0)
goto done;
+ st = s->streams[s->nb_streams - 1];
av_dict_set(&st->metadata, "title", description, 0);
- st->codecpar->codec_type = AVMEDIA_TYPE_VIDEO;
st->codecpar->codec_id = AV_CODEC_ID_MJPEG;
st->id = -1;
- ret = av_get_packet(pb, &st->attached_pic, filesize);
- if (ret < 0)
- goto done;
- st->attached_pic.stream_index = st->index;
- st->attached_pic.flags |= AV_PKT_FLAG_KEY;
- st->disposition |= AV_DISPOSITION_ATTACHED_PIC;
done:
avio_seek(pb, pos + length, SEEK_SET);
}
ff_get_guid(pb, &g);
len = avio_rl32(pb);
- if (len < 32) {
+ if (len < 32 || len > INT_MAX - 7) {
int ret;
if (avio_feof(pb))
return AVERROR_EOF;
avio_skip(pb, 12);
ff_get_guid(pb, &formattype);
size = avio_rl32(pb);
+ if (size < 0 || size > INT_MAX - 92)
+ return AVERROR_INVALIDDATA;
parse_media_type(s, 0, sid, mediatype, subtype, formattype, size);
consumed += 92 + size;
}
avio_skip(pb, 12);
ff_get_guid(pb, &formattype);
size = avio_rl32(pb);
+ if (size < 0 || size > INT_MAX - 76)
+ return AVERROR_INVALIDDATA;
parse_media_type(s, s->streams[stream_index], sid, mediatype, subtype, formattype, size);
consumed += 76 + size;
}
} else
av_log(s, AV_LOG_WARNING, "unsupported chunk:"FF_PRI_GUID"\n", FF_ARG_GUID(g));
+ if (avio_feof(pb))
+ break;
+
avio_skip(pb, WTV_PAD8(len) - consumed);
}
return AVERROR_EOF;