1
0
mirror of https://github.com/FFmpeg/FFmpeg.git synced 2025-01-08 13:22:53 +02:00

avformat/aadec: Check toc_size to contain the minimum to demuxer uses

Fixes: out of array access
Fixes: stack-buffer-overflow-READ-0x0831fff1

Found-by: GalyCannon <galycannon@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This commit is contained in:
Michael Niedermayer 2020-04-07 12:04:25 +02:00
parent 435fa373d1
commit daa2482871

View File

@ -92,7 +92,7 @@ static int aa_read_header(AVFormatContext *s)
avio_skip(pb, 4); // magic string
toc_size = avio_rb32(pb); // TOC size
avio_skip(pb, 4); // unidentified integer
if (toc_size > MAX_TOC_ENTRIES)
if (toc_size > MAX_TOC_ENTRIES || toc_size < 2)
return AVERROR_INVALIDDATA;
for (i = 0; i < toc_size; i++) { // read TOC
avio_skip(pb, 4); // TOC entry index