sanity checks some might have been exploitable

Originally committed as revision 5370 to svn://svn.ffmpeg.org/ffmpeg/trunk

1 files changed, 7 insertions, 0 deletions

diff --git a/libavformat/smacker.c b/libavformat/smacker.c
index 916dd84077..7733da3bd7 100644
--- a/libavformat/smacker.c
+++ b/libavformat/smacker.c
@@ -114,6 +114,13 @@ static int smacker_read_header(AVFormatContext *s, AVFormatParameters *ap)
     for(i = 0; i < 7; i++)
         smk->audio[i] = get_le32(pb);
     smk->treesize = get_le32(pb);
+
+    if(smk->treesize >= UINT_MAX/4){ // smk->treesize + 16 must not overflow (this check is probably redundant)
+        av_log(s, AV_LOG_ERROR, "treesize too large\n");
+        return -1;
+    }
+
+//FIXME remove extradata "rebuilding"
     smk->mmap_size = get_le32(pb);
     smk->mclr_size = get_le32(pb);
     smk->full_size = get_le32(pb);