From 066739f6bc628188bdbbd2695196acfd16ec79e1 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michaelni@gmx.at>
Date: Sat, 23 Feb 2013 22:05:30 +0100
Subject: pmpdec: check packet sizes
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Reviewed-by: Reimar Döffinger <Reimar.Doeffinger@gmx.de>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
---
 libavformat/pmpdec.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

(limited to 'libavformat/pmpdec.c')

diff --git a/libavformat/pmpdec.c b/libavformat/pmpdec.c
index 1ee2e2e19a..06b2271f81 100644
--- a/libavformat/pmpdec.c
+++ b/libavformat/pmpdec.c
@@ -49,6 +49,8 @@ static int pmp_header(AVFormatContext *s)
     int srate, channels;
     int i;
     uint64_t pos;
+    int64_t fsize = avio_size(pb);
+
     AVStream *vst = avformat_new_stream(s, NULL);
     if (!vst)
         return AVERROR(ENOMEM);
@@ -100,8 +102,16 @@ static int pmp_header(AVFormatContext *s)
             return AVERROR_INVALIDDATA;
         }
         size >>= 1;
+        if (size < 9 + 4*pmp->num_streams) {
+            av_log(s, AV_LOG_ERROR, "Packet too small\n");
+            return AVERROR_INVALIDDATA;
+        }
         av_add_index_entry(vst, pos, i, size, 0, flags);
         pos += size;
+        if (fsize > 0 && i == 0 && pos > fsize) {
+            av_log(s, AV_LOG_ERROR, "File ends before first packet\n");
+            return AVERROR_INVALIDDATA;
+        }
     }
     for (i = 1; i < pmp->num_streams; i++) {
         AVStream *ast = avformat_new_stream(s, NULL);
-- 
cgit v1.2.3