avformat/mpc8: fix hang with fuzzed file

This can lead to an endless loop by seeking back a few bytes after each attempted chunk read. Assuming negative sizes are always invalid, this is easy to fix. Other code in this demuxer treats negative sizes as invalid as well. Fixes ticket #4262. Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit 56cc024220886927350cfc26ee695062ca7ecaf4) Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
author: wm4 <nfxjfg@googlemail.com> 2015-02-03 19:04:12 +0100
committer: Michael Niedermayer <michaelni@gmx.at> 2015-02-04 00:48:43 +0100
commit: 28f303542e90bc34f96e2e04af6f1b9e9b9d65ab (patch)
tree: 58dabfeaa407b87ccefc476ea422bd72aa150e0a
parent: 6e7f183ae632f160638203c4a9302c25f1bc7bc6 (diff)
download: ffmpeg-28f303542e90bc34f96e2e04af6f1b9e9b9d65ab.tar.gz
1 files changed, 4 insertions, 0 deletions
diff --git a/libavformat/mpc8.c b/libavformat/mpc8.c
index 7017c187f7..31026fef1c 100644
--- a/libavformat/mpc8.c
+++ b/libavformat/mpc8.c
@@ -216,6 +216,10 @@ static int mpc8_read_header(AVFormatContext *s)
     while(!url_feof(pb)){
         pos = avio_tell(pb);
         mpc8_get_chunk_header(pb, &tag, &size);
+        if (size < 0) {
+            av_log(s, AV_LOG_ERROR, "Invalid chunk length\n");
+            return AVERROR_INVALIDDATA;
+        }
         if(tag == TAG_STREAMHDR)
             break;
         mpc8_handle_chunk(s, tag, pos, size);
author	wm4 <nfxjfg@googlemail.com>	2015-02-03 19:04:12 +0100
committer	Michael Niedermayer <michaelni@gmx.at>	2015-02-04 00:48:43 +0100
commit	28f303542e90bc34f96e2e04af6f1b9e9b9d65ab (patch)
tree	58dabfeaa407b87ccefc476ea422bd72aa150e0a
parent	6e7f183ae632f160638203c4a9302c25f1bc7bc6 (diff)
download	ffmpeg-28f303542e90bc34f96e2e04af6f1b9e9b9d65ab.tar.gz