Commit daa24828 authored by Michael Niedermayer's avatar Michael Niedermayer

avformat/aadec: Check toc_size to contain the minimum to demuxer uses

Fixes: out of array access
Fixes: stack-buffer-overflow-READ-0x0831fff1
Found-by: 's avatarGalyCannon <galycannon@gmail.com>
Signed-off-by: 's avatarMichael Niedermayer <michael@niedermayer.cc>
parent 435fa373
...@@ -92,7 +92,7 @@ static int aa_read_header(AVFormatContext *s) ...@@ -92,7 +92,7 @@ static int aa_read_header(AVFormatContext *s)
avio_skip(pb, 4); // magic string avio_skip(pb, 4); // magic string
toc_size = avio_rb32(pb); // TOC size toc_size = avio_rb32(pb); // TOC size
avio_skip(pb, 4); // unidentified integer avio_skip(pb, 4); // unidentified integer
if (toc_size > MAX_TOC_ENTRIES) if (toc_size > MAX_TOC_ENTRIES || toc_size < 2)
return AVERROR_INVALIDDATA; return AVERROR_INVALIDDATA;
for (i = 0; i < toc_size; i++) { // read TOC for (i = 0; i < toc_size; i++) { // read TOC
avio_skip(pb, 4); // TOC entry index avio_skip(pb, 4); // TOC entry index
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment