avformat/rl2: Fix DoS due to lack of eof check

Fixes: loop.rl2 Found-by: Xiaohei and Wangchu from Alibaba Security Team Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
author: 孙浩 and 张洪亮(望初) <tony.sh and wangchu.zhl@alibaba-inc.com> 2017-08-25 01:15:29 +0200
committer: Michael Niedermayer <michael@niedermayer.cc> 2017-08-27 19:23:30 +0200
commit: 96f24d1bee7fe7bac08e2b7c74db1a046c9dc0de (patch)
tree: 7e14ead5baa78ce3279c413a38aad5a5dbf5abec
parent: 124eb202e70678539544f6268efc98131f19fa49 (diff)
download: ffmpeg-96f24d1bee7fe7bac08e2b7c74db1a046c9dc0de.tar.gz
1 files changed, 12 insertions, 3 deletions
diff --git a/libavformat/rl2.c b/libavformat/rl2.c
index 0bec8f1d9a..eb1682dfcb 100644
--- a/libavformat/rl2.c
+++ b/libavformat/rl2.c
@@ -170,12 +170,21 @@ static av_cold int rl2_read_header(AVFormatContext *s)
     }
 
     /** read offset and size tables */
-    for(i=0; i < frame_count;i++)
+    for(i=0; i < frame_count;i++) {
+        if (avio_feof(pb))
+            return AVERROR_INVALIDDATA;
         chunk_size[i] = avio_rl32(pb);
-    for(i=0; i < frame_count;i++)
+    }
+    for(i=0; i < frame_count;i++) {
+        if (avio_feof(pb))
+            return AVERROR_INVALIDDATA;
         chunk_offset[i] = avio_rl32(pb);
-    for(i=0; i < frame_count;i++)
+    }
+    for(i=0; i < frame_count;i++) {
+        if (avio_feof(pb))
+            return AVERROR_INVALIDDATA;
         audio_size[i] = avio_rl32(pb) & 0xFFFF;
+    }
 
     /** build the sample index */
     for(i=0;i<frame_count;i++){
author	孙浩 and 张洪亮(望初) <tony.sh and wangchu.zhl@alibaba-inc.com>	2017-08-25 01:15:29 +0200
committer	Michael Niedermayer <michael@niedermayer.cc>	2017-08-27 19:23:30 +0200
commit	96f24d1bee7fe7bac08e2b7c74db1a046c9dc0de (patch)
tree	7e14ead5baa78ce3279c413a38aad5a5dbf5abec
parent	124eb202e70678539544f6268efc98131f19fa49 (diff)
download	ffmpeg-96f24d1bee7fe7bac08e2b7c74db1a046c9dc0de.tar.gz