icodec: correctly check avio_read return value

It can read less than the requested amount, in which case buf contains uninitialized data, causing problems like segmentation faults later on. Also make sure that image->size is positive, so that it can't match a negative error code. Reviewed-by: Michael Niedermayer <michael@niedermayer.cc> Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>

icodec: correctly check avio_read return value
It can read less than the requested amount, in which case buf contains uninitialized data, causing problems like segmentation faults later on. Also make sure that image->size is positive, so that it can't match a negative error code. Reviewed-by: Michael Niedermayer <michael@niedermayer.cc> Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
89eb398c · Andreas Cadhalpun · c82b8ef0 · 89eb398c
Commit 89eb398c authored Nov 08, 2016 by Andreas Cadhalpun
Hide whitespace changes
Inline Side-by-side

Showing with 6 additions and 2 deletions

icodec.c libavformat/icodec.c +6 -2

No files found.
--- a/libavformat/icodec.c
+++ b/libavformat/icodec.c
@@ -109,6 +109,10 @@ static int read_header(AVFormatContext *s)
        avio_skip(pb, 5);

        ico->images[i].size   = avio_rl32(pb);
+        if (ico->images[i].size <= 0) {
+            av_log(s, AV_LOG_ERROR, "Invalid image size %d\n", ico->images[i].size);
+            return AVERROR_INVALIDDATA;
+        }
        ico->images[i].offset = avio_rl32(pb);

        if (avio_seek(pb, ico->images[i].offset, SEEK_SET) < 0)
@@ -174,9 +178,9 @@ static int read_packet(AVFormatContext *s, AVPacket *pkt)
        bytestream_put_le16(&buf, 0);
        bytestream_put_le32(&buf, 0);

-        if ((ret = avio_read(pb, buf, image->size)) < 0) {
+        if ((ret = avio_read(pb, buf, image->size)) != image->size) {
            av_packet_unref(pkt);
-            return ret;
+            return ret < 0 ? ret : AVERROR_INVALIDDATA;
        }

        st->codecpar->bits_per_coded_sample = AV_RL16(buf + 14);