smacker: check frame size validity

Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Luca Barbato <lu_zero@gentoo.org>

smacker: check frame size validity
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
ee16a0ce · Kostya Shishkov · Luca Barbato · 58c95448 · ee16a0ce
Commit ee16a0ce authored Jun 12, 2013 by Kostya Shishkov Committed by Luca Barbato Jun 16, 2013
Hide whitespace changes
Inline Side-by-side

Showing with 5 additions and 1 deletion

smacker.c libavformat/smacker.c +5 -1

No files found.
--- a/libavformat/smacker.c
+++ b/libavformat/smacker.c
@@ -304,10 +304,14 @@ static int smacker_read_packet(AVFormatContext *s, AVPacket *pkt)
        /* if audio chunks are present, put them to stack and retrieve later */
        for(i = 0; i < 7; i++) {
            if(flags & 1) {
-                int size;
+                uint32_t size;
                uint8_t *tmpbuf;

                size = avio_rl32(s->pb) - 4;
+                if (!size || size > frame_size) {
+                    av_log(s, AV_LOG_ERROR, "Invalid audio part size\n");
+                    return AVERROR_INVALIDDATA;
+                }
                frame_size -= size;
                frame_size -= 4;
                smk->curstream++;