From 29a290439ba28fde00b2a27d5afef863c63abb37 Mon Sep 17 00:00:00 2001
From: Kostya Shishkov <kostya.shishkov@gmail.com>
Date: Fri, 1 Apr 2011 09:26:38 +0200
Subject: ape: check that number of seektable entries is equal to number of
 frames

fixes issue2480

Signed-off-by: Anton Khirnov <anton@khirnov.net>
---
 libavformat/ape.c | 5 +++++
 1 file changed, 5 insertions(+)

(limited to 'libavformat/ape.c')

diff --git a/libavformat/ape.c b/libavformat/ape.c
index 6c8880d2c0..5aac00c56a 100644
--- a/libavformat/ape.c
+++ b/libavformat/ape.c
@@ -250,6 +250,11 @@ static int ape_read_header(AVFormatContext * s, AVFormatParameters * ap)
         av_log(s, AV_LOG_ERROR, "Too many frames: %d\n", ape->totalframes);
         return -1;
     }
+    if (ape->seektablelength && (ape->seektablelength / sizeof(*ape->seektable)) < ape->totalframes) {
+        av_log(s, AV_LOG_ERROR, "Number of seek entries is less than number of frames: %d vs. %d\n",
+               ape->seektablelength / sizeof(*ape->seektable), ape->totalframes);
+        return AVERROR_INVALIDDATA;
+    }
     ape->frames       = av_malloc(ape->totalframes * sizeof(APEFrame));
     if(!ape->frames)
         return AVERROR(ENOMEM);
-- 
cgit v1.2.3