avformat/hnm: Check *chunk_size

Fixes: CID1604419 Overflowed constant Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
author: Michael Niedermayer <michael@niedermayer.cc> 2024-07-11 18:40:46 +0200
committer: Michael Niedermayer <michael@niedermayer.cc> 2024-07-21 16:41:23 +0200
commit: 291356f58b8a1af491c692a89e6c4e70e9496f9d (patch)
tree: 583ed4c35c2e81704cdccc18a7ace950ad5fc74f /libavformat
parent: 7e577165c101513b4d8afe164e604cbef6901546 (diff)
download: ffmpeg-291356f58b8a1af491c692a89e6c4e70e9496f9d.tar.gz
1 files changed, 3 insertions, 1 deletions
diff --git a/libavformat/hnm.c b/libavformat/hnm.c
index 42efaaa3e8..425dadc5e3 100644
--- a/libavformat/hnm.c
+++ b/libavformat/hnm.c
@@ -114,6 +114,8 @@ static int hnm_read_packet(AVFormatContext *s, AVPacket *pkt)
     if (hnm->superchunk_remaining == 0) {
         /* parse next superchunk */
         superchunk_size = avio_rl24(pb);
+        if (superchunk_size < 4)
+            return AVERROR_INVALIDDATA;
         avio_skip(pb, 1);
 
         hnm->superchunk_remaining = superchunk_size - 4;
@@ -124,7 +126,7 @@ static int hnm_read_packet(AVFormatContext *s, AVPacket *pkt)
     chunk_id = avio_rl16(pb);
     avio_skip(pb, 2);
 
-    if (chunk_size > hnm->superchunk_remaining || !chunk_size) {
+    if (chunk_size > hnm->superchunk_remaining || chunk_size < 8) {
         av_log(s, AV_LOG_ERROR,
                "invalid chunk size: %"PRIu32", offset: %"PRId64"\n",
                chunk_size, avio_tell(pb));
author	Michael Niedermayer <michael@niedermayer.cc>	2024-07-11 18:40:46 +0200
committer	Michael Niedermayer <michael@niedermayer.cc>	2024-07-21 16:41:23 +0200
commit	291356f58b8a1af491c692a89e6c4e70e9496f9d (patch)
tree	583ed4c35c2e81704cdccc18a7ace950ad5fc74f /libavformat
parent	7e577165c101513b4d8afe164e604cbef6901546 (diff)
download	ffmpeg-291356f58b8a1af491c692a89e6c4e70e9496f9d.tar.gz