avformat/mpc8: fix hang with fuzzed file

This can lead to an endless loop by seeking back a few bytes after each attempted chunk read. Assuming negative sizes are always invalid, this is easy to fix. Other code in this demuxer treats negative sizes as invalid as well. Fixes ticket #4262. Signed-off-by: Michael Niedermayer <[email protected]> (cherry picked from commit 56cc024220886927350cfc26ee695062ca7ecaf4) Signed-off-by: Michael Niedermayer <[email protected]>
author: wm4 <[email protected]> 2015-02-03 19:04:12 +0100
committer: Michael Niedermayer <[email protected]> 2015-03-12 00:47:05 +0100
commit: 42b4ba4a8ae261609100ed41b773b26f9989941e (patch)
tree: 79cfdd1eed44de7a2117c5ce0acf1c17ad889a76
parent: 8cf62b34e4286d3ec2645afc8ef4329bc08f72e1 (diff)
1 files changed, 4 insertions, 0 deletions
diff --git a/libavformat/mpc8.c b/libavformat/mpc8.c
index db23781613..161cee3367 100644
--- a/libavformat/mpc8.c
+++ b/libavformat/mpc8.c
@@ -204,6 +204,10 @@ static int mpc8_read_header(AVFormatContext *s, AVFormatParameters *ap)
     while(!url_feof(pb)){
         pos = avio_tell(pb);
         mpc8_get_chunk_header(pb, &tag, &size);
+        if (size < 0) {
+            av_log(s, AV_LOG_ERROR, "Invalid chunk length\n");
+            return AVERROR_INVALIDDATA;
+        }
         if(tag == TAG_STREAMHDR)
             break;
         mpc8_handle_chunk(s, tag, pos, size);
author	wm4 <[email protected]>	2015-02-03 19:04:12 +0100
committer	Michael Niedermayer <[email protected]>	2015-03-12 00:47:05 +0100
commit	42b4ba4a8ae261609100ed41b773b26f9989941e (patch)
tree	79cfdd1eed44de7a2117c5ce0acf1c17ad889a76
parent	8cf62b34e4286d3ec2645afc8ef4329bc08f72e1 (diff)