Quoting Luca Barbato (2015-02-02 03:18:43) > Bug-Id: CID 1258461 > CC: [email protected] > --- > libavformat/siff.c | 4 ++++ > 1 file changed, 4 insertions(+) > > diff --git a/libavformat/siff.c b/libavformat/siff.c > index 8ba7c60..9ef3066 100644 > --- a/libavformat/siff.c > +++ b/libavformat/siff.c > @@ -204,6 +204,8 @@ static int siff_read_packet(AVFormatContext *s, AVPacket > *pkt) > > if (!c->curstrm){ > size = c->pktsize - c->sndsize; > + if (size < 0) > + return AVERROR_INVALIDDATA; > if (av_new_packet(pkt, size) < 0) > return AVERROR(ENOMEM); > AV_WL16(pkt->data, c->flags); > @@ -213,6 +215,8 @@ static int siff_read_packet(AVFormatContext *s, AVPacket > *pkt) > pkt->stream_index = 0; > c->curstrm = -1; > }else{ > + if (c->sndsize < 4) > + return AVERROR_INVALIDDATA; > if ((size = av_get_packet(s->pb, pkt, c->sndsize - 4)) < 0) > return AVERROR(EIO); > pkt->stream_index = 1; > -- > 1.9.0 >
The proper place for those checks seems to be the if () block above where c->pktsize and c->sndsize are read. -- Anton Khirnov _______________________________________________ libav-devel mailing list [email protected] https://lists.libav.org/mailman/listinfo/libav-devel
