avformat/ty: do not overread chunk

Signed-off-by: Paul B Mahol <onemda@gmail.com>
author: Paul B Mahol <onemda@gmail.com> 2017-11-06 21:00:08 +0100
committer: Paul B Mahol <onemda@gmail.com> 2017-11-06 21:00:08 +0100
commit: a29a0aba79dad35a80cfcdf6db6b506afb48dcaa (patch)
tree: 51b996317d7b17736ed4429e4011a8f4cf01de59
parent: cdd19e2c560397a72433425b1c5f781cc157a7cf (diff)
download: ffmpeg-a29a0aba79dad35a80cfcdf6db6b506afb48dcaa.tar.gz
1 files changed, 4 insertions, 0 deletions
diff --git a/libavformat/ty.c b/libavformat/ty.c
index 3926d3e9b7..1ce72dd0f9 100644
--- a/libavformat/ty.c
+++ b/libavformat/ty.c
@@ -249,7 +249,11 @@ static int analyze_chunk(AVFormatContext *s, const uint8_t *chunk)
      * in MPEG packets to determine tivo_type */
     if (ty->tivo_type == TIVO_TYPE_UNKNOWN) {
         uint32_t data_offset = 16 * num_recs;
+
         for (i = 0; i < num_recs; i++) {
+            if (data_offset + hdrs[i].rec_size > CHUNK_SIZE)
+                break;
+
             if ((hdrs[i].subrec_type << 0x08 | hdrs[i].rec_type) == 0x3c0 && hdrs[i].rec_size > 15) {
                 /* first make sure we're aligned */
                 int pes_offset = find_es_header(ty_MPEGAudioPacket,
author	Paul B Mahol <onemda@gmail.com>	2017-11-06 21:00:08 +0100
committer	Paul B Mahol <onemda@gmail.com>	2017-11-06 21:00:08 +0100
commit	a29a0aba79dad35a80cfcdf6db6b506afb48dcaa (patch)
tree	51b996317d7b17736ed4429e4011a8f4cf01de59
parent	cdd19e2c560397a72433425b1c5f781cc157a7cf (diff)
download	ffmpeg-a29a0aba79dad35a80cfcdf6db6b506afb48dcaa.tar.gz