From f1c3d4a68a743c1b274dc764e54e2df276a7c774 Mon Sep 17 00:00:00 2001
From: Justin Ruggles <justin.ruggles@gmail.com>
Date: Sat, 4 Feb 2012 17:08:34 -0500
Subject: ape: skip packets with invalid size

---
 libavformat/ape.c | 8 ++++++++
 1 file changed, 8 insertions(+)

(limited to 'libavformat/ape.c')

diff --git a/libavformat/ape.c b/libavformat/ape.c
index 8145db3a76..4d13e4836c 100644
--- a/libavformat/ape.c
+++ b/libavformat/ape.c
@@ -379,6 +379,14 @@ static int ape_read_packet(AVFormatContext * s, AVPacket * pkt)
     else
         nblocks = ape->blocksperframe;
 
+    if (ape->frames[ape->currentframe].size <= 0 ||
+        ape->frames[ape->currentframe].size > INT_MAX - extra_size) {
+        av_log(s, AV_LOG_ERROR, "invalid packet size: %d\n",
+               ape->frames[ape->currentframe].size);
+        ape->currentframe++;
+        return AVERROR(EIO);
+    }
+
     if (av_new_packet(pkt,  ape->frames[ape->currentframe].size + extra_size) < 0)
         return AVERROR(ENOMEM);
 
-- 
cgit v1.2.3