diff options
| author | Andreas Rheinhardt <andreas.rheinhardt@gmail.com> | 2020-06-23 14:05:17 +0200 |
|---|---|---|
| committer | Andreas Rheinhardt <andreas.rheinhardt@gmail.com> | 2020-07-04 19:19:34 +0200 |
| commit | 2f687bc83e87cd289fafcebd026fe7f586f86332 (patch) | |
| tree | 269be6d27b62269cfd5c62a99fef0535a6b2b4d8 /libavformat/smacker.c | |
| parent | 02bbb3700670cc0bcf2c267ae48b21b0a9d7b599 (diff) | |
| download | ffmpeg-2f687bc83e87cd289fafcebd026fe7f586f86332.tar.gz | |
avformat/smacker: Check audio frame size
The first four bytes of smacker audio are supposed to contain the number
of samples, so treat audio frames smaller than that as invalid.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Diffstat (limited to 'libavformat/smacker.c')
| -rw-r--r-- | libavformat/smacker.c | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/libavformat/smacker.c b/libavformat/smacker.c index 787c5d8972..c803ecbec9 100644 --- a/libavformat/smacker.c +++ b/libavformat/smacker.c @@ -307,14 +307,14 @@ static int smacker_read_packet(AVFormatContext *s, AVPacket *pkt) if(flags & 1) { uint32_t size; - size = avio_rl32(s->pb) - 4; - if (!size || size + 4LL > frame_size) { + size = avio_rl32(s->pb); + if ((int)size < 8 || size > frame_size) { av_log(s, AV_LOG_ERROR, "Invalid audio part size\n"); ret = AVERROR_INVALIDDATA; goto next_frame; } frame_size -= size; - frame_size -= 4; + size -= 4; if ((ret = av_reallocp(&smk->bufs[smk->curstream], size)) < 0) { smk->buf_sizes[smk->curstream] = 0; goto next_frame; |