avformat/redspark: check coef_off
authorMichael Niedermayer <michaelni@gmx.at>
Fri, 23 Aug 2013 17:12:54 +0000 (19:12 +0200)
committerMichael Niedermayer <michaelni@gmx.at>
Fri, 23 Aug 2013 18:05:35 +0000 (20:05 +0200)
Fixes out of array reads

Found-by: Laurent Butti <laurentb@gmail.com>
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
libavformat/redspark.c

index 44d5da7..3963261 100644 (file)
@@ -108,6 +108,11 @@ static int redspark_read_header(AVFormatContext *s)
     if (bytestream2_get_byteu(&gbc)) // Loop flag
         coef_off += 16;
 
+    if (coef_off + codec->channels * (32 + 14) > HEADER_SIZE) {
+        ret = AVERROR_INVALIDDATA;
+        goto fail;
+    }
+
     codec->extradata_size = 32 * codec->channels;
     codec->extradata = av_malloc(codec->extradata_size);
     if (!codec->extradata) {