From 640a2427aafa774b83316b7a8c5c2bdc28bfd269 Mon Sep 17 00:00:00 2001
From: Martin Storsjö <martin@martin.st>
Date: Sat, 28 Sep 2013 23:46:04 +0300
Subject: bfi: Add some very basic sanity checks for input packet sizes
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
---
 libavformat/bfi.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/libavformat/bfi.c b/libavformat/bfi.c
index 5d7ccb85e6..19060e760f 100644
--- a/libavformat/bfi.c
+++ b/libavformat/bfi.c
@@ -132,6 +132,10 @@ static int bfi_read_packet(AVFormatContext * s, AVPacket * pkt)
         video_offset    = avio_rl32(pb);
         audio_size      = video_offset - audio_offset;
         bfi->video_size = chunk_size - video_offset;
+        if (audio_size < 0 || bfi->video_size < 0) {
+            av_log(s, AV_LOG_ERROR, "Invalid audio/video offsets or chunk size\n");
+            return AVERROR_INVALIDDATA;
+        }
 
         //Tossing an audio packet at the audio decoder.
         ret = av_get_packet(pb, pkt, audio_size);
-- 
cgit v1.2.3