aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorwm4 <nfxjfg@googlemail.com>2015-02-03 19:04:12 +0100
committerMichael Niedermayer <michaelni@gmx.at>2015-03-12 18:03:49 +0100
commit376533e0cd86e40a8d452b4a040560ab4758241d (patch)
treeba7d0f07b78a704519c735582ddd5c83d720e9f7
parent1d73ad25dcb26b7eb1cdd48ee5acf29cea402fee (diff)
downloadffmpeg-376533e0cd86e40a8d452b4a040560ab4758241d.tar.gz
avformat/mpc8: fix hang with fuzzed file
This can lead to an endless loop by seeking back a few bytes after each attempted chunk read. Assuming negative sizes are always invalid, this is easy to fix. Other code in this demuxer treats negative sizes as invalid as well. Fixes ticket #4262. Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit 56cc024220886927350cfc26ee695062ca7ecaf4) Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
-rw-r--r--libavformat/mpc8.c4
1 files changed, 4 insertions, 0 deletions
diff --git a/libavformat/mpc8.c b/libavformat/mpc8.c
index a3fc1be894..b448c1b8ca 100644
--- a/libavformat/mpc8.c
+++ b/libavformat/mpc8.c
@@ -214,6 +214,10 @@ static int mpc8_read_header(AVFormatContext *s, AVFormatParameters *ap)
while(!url_feof(pb)){
pos = avio_tell(pb);
mpc8_get_chunk_header(pb, &tag, &size);
+ if (size < 0) {
+ av_log(s, AV_LOG_ERROR, "Invalid chunk length\n");
+ return AVERROR_INVALIDDATA;
+ }
if(tag == TAG_STREAMHDR)
break;
mpc8_handle_chunk(s, tag, pos, size);