ea: check chunk_size for validity.
authorRonald S. Bultje <rsbultje@gmail.com>
Fri, 4 May 2012 23:06:26 +0000 (16:06 -0700)
committerRonald S. Bultje <rsbultje@gmail.com>
Fri, 4 May 2012 23:06:26 +0000 (16:06 -0700)
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
libavformat/electronicarts.c

index 47ef40f..b215547 100644 (file)
@@ -487,12 +487,17 @@ static int ea_read_packet(AVFormatContext *s,
 
     while (!packet_read) {
         chunk_type = avio_rl32(pb);
-        chunk_size = (ea->big_endian ? avio_rb32(pb) : avio_rl32(pb)) - 8;
+        chunk_size = ea->big_endian ? avio_rb32(pb) : avio_rl32(pb);
+        if (chunk_size <= 8)
+            return AVERROR_INVALIDDATA;
+        chunk_size -= 8;
 
         switch (chunk_type) {
         /* audio data */
         case ISNh_TAG:
             /* header chunk also contains data; skip over the header portion*/
+            if (chunk_size < 32)
+                return AVERROR_INVALIDDATA;
             avio_skip(pb, 32);
             chunk_size -= 32;
         case ISNd_TAG: