omadec: check GEOB sizes against buffer size

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

1 files changed, 4 insertions, 0 deletions

diff --git a/libavformat/omadec.c b/libavformat/omadec.c
index 4777c13048..c88d4f4d48 100644
--- a/libavformat/omadec.c
+++ b/libavformat/omadec.c
@@ -219,6 +219,10 @@ static int decrypt_init(AVFormatContext *s, ID3v2ExtraMeta *em, uint8_t *header)
         av_log(s, AV_LOG_ERROR, "Invalid encryption header\n");
         return -1;
     }
+    if (oc->k_size + oc->e_size + oc->i_size > geob->datasize) {
+        av_log(s, AV_LOG_ERROR, "Too little GEOB data\n");
+        return AVERROR_INVALIDDATA;
+    }
     oc->rid = AV_RB32(&gdata[OMA_ENC_HEADER_SIZE + 28]);
     av_log(s, AV_LOG_DEBUG, "RID: %.8x\n", oc->rid);