Merge remote-tracking branch 'qatar/master'

* qatar/master:
  tests: Refactor rotozoom/videogen common code into a separate file.
  tests: Mark some file-internal symbols as static.
  build: Drop leftover .exp pattern from LIBSUFFIXES list.
  vsrc_buffer: return EAGAIN if no frame is available.
  WMAL: Shift output samples by the specified number of padding zeroes.
  WMAL: Restore removed code in mclms_predict()
  rtpdec_h264: Remove a useless ifdef
  rtpdec_h264: Remove outdated/useless/incorrect comments
  rtpdec_h264: Remove useless memory corruption checks
  rtpdec_h264: Return proper error codes
  rtpdec_h264: Check the available data length before reading
  rtpdec_h264: Add input size checks
  png: check bit depth for PAL8/Y400A pixel formats.
  ea: check chunk_size for validity.
  celp filters: Do not read earlier than the start of the 'out' vector.

Conflicts:
	libavcodec/pngdec.c
	libavfilter/src_buffer.c
	tests/rotozoom.c

Merged-by: Michael Niedermayer <michaelni@gmx.at>

1 files changed, 6 insertions, 1 deletions

diff --git a/libavformat/electronicarts.c b/libavformat/electronicarts.c
index 0fb66970d6..3070b05780 100644
--- a/libavformat/electronicarts.c
+++ b/libavformat/electronicarts.c
@@ -495,12 +495,17 @@ static int ea_read_packet(AVFormatContext *s,
 
     while (!packet_read || partial_packet) {
         chunk_type = avio_rl32(pb);
-        chunk_size = (ea->big_endian ? avio_rb32(pb) : avio_rl32(pb)) - 8;
+        chunk_size = ea->big_endian ? avio_rb32(pb) : avio_rl32(pb);
+        if (chunk_size <= 8)
+            return AVERROR_INVALIDDATA;
+        chunk_size -= 8;
 
         switch (chunk_type) {
         /* audio data */
         case ISNh_TAG:
             /* header chunk also contains data; skip over the header portion*/
+            if (chunk_size < 32)
+                return AVERROR_INVALIDDATA;
             avio_skip(pb, 32);
             chunk_size -= 32;
         case ISNd_TAG: