mirror of
https://github.com/FFmpeg/FFmpeg.git
synced 2025-01-08 13:22:53 +02:00
avformat/aadec: Check toc_size to contain the minimum to demuxer uses
Fixes: out of array access Fixes: stack-buffer-overflow-READ-0x0831fff1 Found-by: GalyCannon <galycannon@gmail.com> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This commit is contained in:
parent
435fa373d1
commit
daa2482871
@ -92,7 +92,7 @@ static int aa_read_header(AVFormatContext *s)
|
||||
avio_skip(pb, 4); // magic string
|
||||
toc_size = avio_rb32(pb); // TOC size
|
||||
avio_skip(pb, 4); // unidentified integer
|
||||
if (toc_size > MAX_TOC_ENTRIES)
|
||||
if (toc_size > MAX_TOC_ENTRIES || toc_size < 2)
|
||||
return AVERROR_INVALIDDATA;
|
||||
for (i = 0; i < toc_size; i++) { // read TOC
|
||||
avio_skip(pb, 4); // TOC entry index
|
||||
|
Loading…
Reference in New Issue
Block a user