avformat/mpc8: fix hang with fuzzed file

This can lead to an endless loop by seeking back a few bytes after each attempted chunk read. Assuming negative sizes are always invalid, this is easy to fix. Other code in this demuxer treats negative sizes as invalid as well. Fixes ticket #4262. Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
author: wm4 <nfxjfg@googlemail.com> 2015-02-03 19:04:12 +0100
committer: Michael Niedermayer <michaelni@gmx.at> 2015-02-04 00:39:56 +0100
commit: 56cc024220886927350cfc26ee695062ca7ecaf4 (patch)
tree: 2d89fb4c706d325270494f648d0d29584edcd52a
parent: e93d3a22cb53bd88f551c1ad05cf3db3d453a396 (diff)
download: ffmpeg-56cc024220886927350cfc26ee695062ca7ecaf4.tar.gz
1 files changed, 4 insertions, 0 deletions
diff --git a/libavformat/mpc8.c b/libavformat/mpc8.c
index a15dc25a69..722d0ee05f 100644
--- a/libavformat/mpc8.c
+++ b/libavformat/mpc8.c
@@ -223,6 +223,10 @@ static int mpc8_read_header(AVFormatContext *s)
     while(!avio_feof(pb)){
         pos = avio_tell(pb);
         mpc8_get_chunk_header(pb, &tag, &size);
+        if (size < 0) {
+            av_log(s, AV_LOG_ERROR, "Invalid chunk length\n");
+            return AVERROR_INVALIDDATA;
+        }
         if(tag == TAG_STREAMHDR)
             break;
         mpc8_handle_chunk(s, tag, pos, size);
author	wm4 <nfxjfg@googlemail.com>	2015-02-03 19:04:12 +0100
committer	Michael Niedermayer <michaelni@gmx.at>	2015-02-04 00:39:56 +0100
commit	56cc024220886927350cfc26ee695062ca7ecaf4 (patch)
tree	2d89fb4c706d325270494f648d0d29584edcd52a
parent	e93d3a22cb53bd88f551c1ad05cf3db3d453a396 (diff)
download	ffmpeg-56cc024220886927350cfc26ee695062ca7ecaf4.tar.gz