avformat/redspark: check coef_off

Fixes out of array reads Found-by: Laurent Butti <laurentb@gmail.com> Reviewed-by: Paul B Mahol <onemda@gmail.com> Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

avformat/redspark: check coef_off
Fixes out of array reads Found-by: Laurent Butti <laurentb@gmail.com> Reviewed-by: Paul B Mahol <onemda@gmail.com> Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
aadfadd7 · Michael Niedermayer · 9e477a37 · aadfadd7
Commit aadfadd7 authored Aug 23, 2013 by Michael Niedermayer
Hide whitespace changes
Inline Side-by-side

Showing with 5 additions and 0 deletions

redspark.c libavformat/redspark.c +5 -0

No files found.
--- a/libavformat/redspark.c
+++ b/libavformat/redspark.c
@@ -108,6 +108,11 @@ static int redspark_read_header(AVFormatContext *s)
    if (bytestream2_get_byteu(&gbc)) // Loop flag
        coef_off += 16;

+    if (coef_off + codec->channels * (32 + 14) > HEADER_SIZE) {
+        ret = AVERROR_INVALIDDATA;
+        goto fail;
+    }
+
    codec->extradata_size = 32 * codec->channels;
    codec->extradata = av_malloc(codec->extradata_size);
    if (!codec->extradata) {