1. ffmpeg
  2. Commit ee16a0ced01e6a33b7b01a0b21a0e07c1e1c7884
Browse code

smacker: check frame size validity

Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org

Signed-off-by: Luca Barbato <lu_zero@gentoo.org>

Kostya Shishkov authored on 2013/06/12 21:30:51
Showing 1 changed files
libavformat/smacker.c
History View file @ ee16a0c
... ... 
@@ -304,10 +304,14 @@ static int smacker_read_packet(AVFormatContext *s, AVPacket *pkt)
304 304 
         /* if audio chunks are present, put them to stack and retrieve later */
305 305 
         for(i = 0; i < 7; i++) {
306 306 
             if(flags & 1) {
307 
-                int size;
307 
+                uint32_t size;
308 308 
                 uint8_t *tmpbuf;
309 309
310 310 
                 size = avio_rl32(s->pb) - 4;
311 
+                if (!size || size > frame_size) {
312 
+                    av_log(s, AV_LOG_ERROR, "Invalid audio part size\n");
313 
+                    return AVERROR_INVALIDDATA;
314 
+                }
311 315 
                 frame_size -= size;
312 316 
                 frame_size -= 4;
313 317 
                 smk->curstream++;