From b90e795f737c5efb9f65869b304e87a0985b046d Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michaelni@gmx.at>
Date: Sat, 1 Dec 2012 00:29:39 +0100
Subject: check std tag size before reading.

Fixes out of array read

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
---
 libavformat/4xm.c | 4 ++++
 1 file changed, 4 insertions(+)

(limited to 'libavformat/4xm.c')

diff --git a/libavformat/4xm.c b/libavformat/4xm.c
index 0a003d4b8e..1e142f550f 100644
--- a/libavformat/4xm.c
+++ b/libavformat/4xm.c
@@ -134,6 +134,10 @@ static int fourxm_read_header(AVFormatContext *s)
         }
 
         if (fourcc_tag == std__TAG) {
+            if (header_size < i + 16) {
+                av_log(s, AV_LOG_ERROR, "std TAG truncated\n");
+                return AVERROR_INVALIDDATA;
+            }
             fourxm->fps = av_int2float(AV_RL32(&header[i + 12]));
         } else if (fourcc_tag == vtrk_TAG) {
             /* check that there is enough data */
-- 
cgit v1.2.3