Commit ee16a0ce authored by Kostya Shishkov's avatar Kostya Shishkov Committed by Luca Barbato

smacker: check frame size validity

Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: 's avatarLuca Barbato <lu_zero@gentoo.org>
parent 58c95448
......@@ -304,10 +304,14 @@ static int smacker_read_packet(AVFormatContext *s, AVPacket *pkt)
/* if audio chunks are present, put them to stack and retrieve later */
for(i = 0; i < 7; i++) {
if(flags & 1) {
int size;
uint32_t size;
uint8_t *tmpbuf;
size = avio_rl32(s->pb) - 4;
if (!size || size > frame_size) {
av_log(s, AV_LOG_ERROR, "Invalid audio part size\n");
return AVERROR_INVALIDDATA;
}
frame_size -= size;
frame_size -= 4;
smk->curstream++;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment