omadec: Properly check lengths before incrementing the position

Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö <martin@martin.st> (cherry picked from commit 342c43d154e586bc022c86b168fe8d36f69da9d3) Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
author: Martin Storsjö <martin@martin.st> 2013-09-11 14:54:05 +0300
committer: Luca Barbato <lu_zero@gentoo.org> 2013-10-03 23:31:22 +0200
commit: 9eba02d5dd7036294ea350cb772822deec95b867 (patch)
tree: e561e6003ca2daf23dd792272938df918df3fb33
parent: 557df77eab7d3726c34221aeb999afe9e7818d52 (diff)
download: ffmpeg-9eba02d5dd7036294ea350cb772822deec95b867.tar.gz
1 files changed, 5 insertions, 1 deletions
diff --git a/libavformat/omadec.c b/libavformat/omadec.c
index 8548fb5f78..040345187b 100644
--- a/libavformat/omadec.c
+++ b/libavformat/omadec.c
@@ -170,7 +170,11 @@ static int nprobe(AVFormatContext *s, uint8_t *enc_header, unsigned size,
     taglen = AV_RB32(&enc_header[pos+32]);
     datalen = AV_RB32(&enc_header[pos+36]) >> 4;
 
-    pos += 44 + taglen;
+    pos += 44;
+    if (size - pos < taglen)
+        return -1;
+
+    pos += taglen;
 
     if (datalen << 4 > size - pos)
         return -1;
author	Martin Storsjö <martin@martin.st>	2013-09-11 14:54:05 +0300
committer	Luca Barbato <lu_zero@gentoo.org>	2013-10-03 23:31:22 +0200
commit	9eba02d5dd7036294ea350cb772822deec95b867 (patch)
tree	e561e6003ca2daf23dd792272938df918df3fb33
parent	557df77eab7d3726c34221aeb999afe9e7818d52 (diff)
download	ffmpeg-9eba02d5dd7036294ea350cb772822deec95b867.tar.gz