libav: fix crash when scanning wmv file

Fixes crash reported here
https://forum.handbrake.fr/viewtopic.php?f=11&t=35690

Does not fix scan problem, but follow-up commit will.

Also possibly related
https://github.com/HandBrake/HandBrake/issues/466
https://github.com/HandBrake/HandBrake/issues/495

(cherry picked from commit 05f743e784fe69e2950d32e8ac177c34a2f3e5c8)

diff --git a/contrib/ffmpeg/A07-wmv-crash.patch b/contrib/ffmpeg/A07-wmv-crash.patch
new file mode 100644 (file)
index 0000000..ca124a1
--- /dev/null
+++ b/contrib/ffmpeg/A07-wmv-crash.patch
@@ -0,0 +1,31 @@
+From 8e67039c6312ba520945f2c01b7b14df056d5ed1 Mon Sep 17 00:00:00 2001
+From: John Stebbins <stebbins@jetheaddev.com>
+Date: Thu, 12 Jan 2017 13:36:26 -0700
+Subject: [PATCH] asfdec: Use the ASF stream count when iterating
+
+The AVFormat stream count can be larger due external factors, such as
+an id3 tag appended.
+
+Avoid an out of bound read.
+
+Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
+---
+ libavformat/asfdec.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/libavformat/asfdec.c b/libavformat/asfdec.c
+index 1c50ad6..d602af8 100644
+--- a/libavformat/asfdec.c
++++ b/libavformat/asfdec.c
+@@ -1485,7 +1485,7 @@ static int asf_read_packet(AVFormatContext *s, AVPacket *pkt)
+             asf->return_subpayload = 0;
+             return 0;
+         }
+-        for (i = 0; i < s->nb_streams; i++) {
++        for (i = 0; i < asf->nb_streams; i++) {
+             ASFPacket *asf_pkt = &asf->asf_st[i]->pkt;
+             if (asf_pkt && !asf_pkt->size_left && asf_pkt->data_size) {
+                 if (asf->asf_st[i]->span > 1 &&
+-- 
+2.9.3
+