On 02/02/15 09:00, Anton Khirnov wrote: > Quoting Luca Barbato (2015-02-02 03:18:43) >> Bug-Id: CID 1258461 >> CC: [email protected] >> --- >> libavformat/siff.c | 4 ++++ >> 1 file changed, 4 insertions(+) >> >> diff --git a/libavformat/siff.c b/libavformat/siff.c >> index 8ba7c60..9ef3066 100644 >> --- a/libavformat/siff.c >> +++ b/libavformat/siff.c >> @@ -204,6 +204,8 @@ static int siff_read_packet(AVFormatContext *s, AVPacket >> *pkt) >> >> if (!c->curstrm){ >> size = c->pktsize - c->sndsize; >> + if (size < 0) >> + return AVERROR_INVALIDDATA; >> if (av_new_packet(pkt, size) < 0) >> return AVERROR(ENOMEM); >> AV_WL16(pkt->data, c->flags); >> @@ -213,6 +215,8 @@ static int siff_read_packet(AVFormatContext *s, AVPacket >> *pkt) >> pkt->stream_index = 0; >> c->curstrm = -1; >> }else{ >> + if (c->sndsize < 4) >> + return AVERROR_INVALIDDATA; >> if ((size = av_get_packet(s->pb, pkt, c->sndsize - 4)) < 0) >> return AVERROR(EIO); >> pkt->stream_index = 1; >> -- >> 1.9.0 >> > > The proper place for those checks seems to be the if () block above > where c->pktsize and c->sndsize are read. >
Ok. _______________________________________________ libav-devel mailing list [email protected] https://lists.libav.org/mailman/listinfo/libav-devel
