smacker: check frame size validity

Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Luca Barbato <lu_zero@gentoo.org> (cherry picked from commit 07423ad7836325e03894f2f87ba46a531a1cc0b3) Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
author: Kostya Shishkov <kostya.shishkov@gmail.com> 2013-06-12 14:30:51 +0200
committer: Reinhard Tartler <siretart@tauware.de> 2013-06-30 16:06:34 +0200
commit: b40870e636401ddbc97f966a60a21780e1eb17ca (patch)
tree: 7b550ed62f773467960912d39cc7126c5f045639
parent: db0c8061fe540bbd72146cc0c9105e30d54d7f61 (diff)
download: ffmpeg-b40870e636401ddbc97f966a60a21780e1eb17ca.tar.gz
1 files changed, 5 insertions, 1 deletions
diff --git a/libavformat/smacker.c b/libavformat/smacker.c
index e7c89e09f9..d6bb21373e 100644
--- a/libavformat/smacker.c
+++ b/libavformat/smacker.c
@@ -297,10 +297,14 @@ static int smacker_read_packet(AVFormatContext *s, AVPacket *pkt)
         /* if audio chunks are present, put them to stack and retrieve later */
         for(i = 0; i < 7; i++) {
             if(flags & 1) {
-                int size;
+                uint32_t size;
                 uint8_t *tmpbuf;
 
                 size = avio_rl32(s->pb) - 4;
+                if (!size || size > frame_size) {
+                    av_log(s, AV_LOG_ERROR, "Invalid audio part size\n");
+                    return AVERROR_INVALIDDATA;
+                }
                 frame_size -= size;
                 frame_size -= 4;
                 smk->curstream++;
author	Kostya Shishkov <kostya.shishkov@gmail.com>	2013-06-12 14:30:51 +0200
committer	Reinhard Tartler <siretart@tauware.de>	2013-06-30 16:06:34 +0200
commit	b40870e636401ddbc97f966a60a21780e1eb17ca (patch)
tree	7b550ed62f773467960912d39cc7126c5f045639
parent	db0c8061fe540bbd72146cc0c9105e30d54d7f61 (diff)
download	ffmpeg-b40870e636401ddbc97f966a60a21780e1eb17ca.tar.gz