omadec: Properly check lengths before incrementing the position
authorMartin Storsjö <martin@martin.st>
Wed, 11 Sep 2013 11:54:05 +0000 (14:54 +0300)
committerMartin Storsjö <martin@martin.st>
Mon, 16 Sep 2013 08:04:52 +0000 (11:04 +0300)
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
libavformat/omadec.c

index e491782..274112e 100644 (file)
@@ -172,7 +172,11 @@ static int nprobe(AVFormatContext *s, uint8_t *enc_header, unsigned size,
     taglen  = AV_RB32(&enc_header[pos + 32]);
     datalen = AV_RB32(&enc_header[pos + 36]) >> 4;
 
     taglen  = AV_RB32(&enc_header[pos + 32]);
     datalen = AV_RB32(&enc_header[pos + 36]) >> 4;
 
-    pos += 44 + taglen;
+    pos += 44;
+    if (size - pos < taglen)
+        return -1;
+
+    pos += taglen;
 
     if (datalen << 4 > size - pos)
         return -1;
 
     if (datalen << 4 > size - pos)
         return -1;