aboutsummaryrefslogtreecommitdiffstats
path: root/libavformat
diff options
context:
space:
mode:
authorKostya Shishkov <kostya.shishkov@gmail.com>2013-06-12 14:30:51 +0200
committerLuca Barbato <lu_zero@gentoo.org>2013-06-16 15:57:31 +0200
commitee16a0ced01e6a33b7b01a0b21a0e07c1e1c7884 (patch)
treea0cc7c75c4cb33c3a0eabde9ff6cd1553f70bea4 /libavformat
parent58c95448e42d34910b939363949ba1a92c06b0b0 (diff)
downloadffmpeg-ee16a0ced01e6a33b7b01a0b21a0e07c1e1c7884.tar.gz
smacker: check frame size validity
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
Diffstat (limited to 'libavformat')
-rw-r--r--libavformat/smacker.c6
1 files changed, 5 insertions, 1 deletions
diff --git a/libavformat/smacker.c b/libavformat/smacker.c
index 7eed34d516..cd4353a1b9 100644
--- a/libavformat/smacker.c
+++ b/libavformat/smacker.c
@@ -304,10 +304,14 @@ static int smacker_read_packet(AVFormatContext *s, AVPacket *pkt)
/* if audio chunks are present, put them to stack and retrieve later */
for(i = 0; i < 7; i++) {
if(flags & 1) {
- int size;
+ uint32_t size;
uint8_t *tmpbuf;
size = avio_rl32(s->pb) - 4;
+ if (!size || size > frame_size) {
+ av_log(s, AV_LOG_ERROR, "Invalid audio part size\n");
+ return AVERROR_INVALIDDATA;
+ }
frame_size -= size;
frame_size -= 4;
smk->curstream++;