ea: check chunk_size for validity.

author Ronald S. Bultje <rsbultje@gmail.com>

Fri, 4 May 2012 23:06:26 +0000 (16:06 -0700)

committer Reinhard Tartler <siretart@tauware.de>

Sun, 3 Jun 2012 17:16:37 +0000 (19:16 +0200)
author Ronald S. Bultje <rsbultje@gmail.com>
Fri, 4 May 2012 23:06:26 +0000 (16:06 -0700)
committer Reinhard Tartler <siretart@tauware.de>
Sun, 3 Jun 2012 17:16:37 +0000 (19:16 +0200)
diff --git a/libavformat/electronicarts.c b/libavformat/electronicarts.c

index 06689dd..0a6cdd5 100644 (file)
--- a/libavformat/electronicarts.c
+++ b/libavformat/electronicarts.c
@@ -468,12 +468,17 @@ static int ea_read_packet(AVFormatContext *s,
 
     while (!packet_read) {
         chunk_type = avio_rl32(pb);
-        chunk_size = (ea->big_endian ? avio_rb32(pb) : avio_rl32(pb)) - 8;
+        chunk_size = ea->big_endian ? avio_rb32(pb) : avio_rl32(pb);
+        if (chunk_size <= 8)
+            return AVERROR_INVALIDDATA;
+        chunk_size -= 8;
 
         switch (chunk_type) {
         /* audio data */
         case ISNh_TAG:
             /* header chunk also contains data; skip over the header portion*/
+            if (chunk_size < 32)
+                return AVERROR_INVALIDDATA;
             avio_skip(pb, 32);
             chunk_size -= 32;
         case ISNd_TAG:
author	Ronald S. Bultje <rsbultje@gmail.com>
	Fri, 4 May 2012 23:06:26 +0000 (16:06 -0700)
committer	Reinhard Tartler <siretart@tauware.de>
	Sun, 3 Jun 2012 17:16:37 +0000 (19:16 +0200)