On Sat, May 07, 2022 at 09:36:34AM +0000, softworkz wrote: > From: softworkz > > The spec allows attachment sizes of up to UINT32_MAX while > we can handle only sizes up to INT32_MAX (in downstream > code) > > The debug.assert in get_tag didn't really address this, > and truncating the value_len in calling methods cannot > be used because the length value is required in order to > continue parsing. This adds a check with log message in > ff_asf_handle_byte_array to handle those (rare) cases. > > Signed-off-by: softworkz > --- > libavformat/asf.c | 12 +++++++++--- > libavformat/asf.h | 2 +- > 2 files changed, 10 insertions(+), 4 deletions(-) > > diff --git a/libavformat/asf.c b/libavformat/asf.c > index 1ac8b5f078..179b66a2b4 100644 > --- a/libavformat/asf.c > +++ b/libavformat/asf.c > @@ -267,12 +267,18 @@ static int get_id3_tag(AVFormatContext *s, int len) > } > > int ff_asf_handle_byte_array(AVFormatContext *s, const char *name, > - int val_len) > + uint32_t val_len) > { > + if (val_len > INT32_MAX) { > + av_log(s, AV_LOG_VERBOSE, "Unable to handle byte arrays > INT32_MAX in tag %s.\n", name); > + return 1; > + } > + > if (!strcmp(name, "WM/Picture")) // handle cover art > - return asf_read_picture(s, val_len); > + return asf_read_picture(s, (int)val_len); > else if (!strcmp(name, "ID3")) // handle ID3 tag > - return get_id3_tag(s, val_len); > + return get_id3_tag(s, (int)val_len); unneeded > > + av_log(s, AV_LOG_VERBOSE, "Unsupported byte array in tag %s.\n", name); Probably this should be DEBUG thx [...] -- Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB Many things microsoft did are stupid, but not doing something just because microsoft did it is even more stupid. If everything ms did were stupid they would be bankrupt already.