avformat/wavdec: check smv_frames_per_jpeg

Values outside would not be possible due to limitations of jpeg itself Fixes very long running loop Fixes Ticket2977 Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
author: Michael Niedermayer <michaelni@gmx.at> 2013-09-26 14:48:43 +0200
committer: Michael Niedermayer <michaelni@gmx.at> 2013-09-26 14:56:32 +0200
commit: e02495372240ad826a8a6b2ecb035bf001b64344 (patch)
tree: 465316193b6db6dba91ba7f37cf62ea5bffd9ac8
parent: cd05c4060a2f170ab061ce59ce896a5fa1c53a15 (diff)
download: ffmpeg-e02495372240ad826a8a6b2ecb035bf001b64344.tar.gz
1 files changed, 4 insertions, 0 deletions
diff --git a/libavformat/wavdec.c b/libavformat/wavdec.c
index 9a01705d9c..9e247e3bb7 100644
--- a/libavformat/wavdec.c
+++ b/libavformat/wavdec.c
@@ -369,6 +369,10 @@ static int wav_read_header(AVFormatContext *s)
             avio_rl24(pb);
             avio_rl24(pb);
             wav->smv_frames_per_jpeg = avio_rl24(pb);
+            if (wav->smv_frames_per_jpeg > 65536) {
+                av_log(s, AV_LOG_ERROR, "too many frames per jpeg\n");
+                return AVERROR_INVALIDDATA;
+            }
             AV_WL32(vst->codec->extradata, wav->smv_frames_per_jpeg);
             wav->smv_cur_pt = 0;
             goto break_loop;
author	Michael Niedermayer <michaelni@gmx.at>	2013-09-26 14:48:43 +0200
committer	Michael Niedermayer <michaelni@gmx.at>	2013-09-26 14:56:32 +0200
commit	e02495372240ad826a8a6b2ecb035bf001b64344 (patch)
tree	465316193b6db6dba91ba7f37cf62ea5bffd9ac8
parent	cd05c4060a2f170ab061ce59ce896a5fa1c53a15 (diff)
download	ffmpeg-e02495372240ad826a8a6b2ecb035bf001b64344.tar.gz