diff options
author | Katerina Barone-Adesi <katerinab@gmail.com> | 2014-09-16 03:40:24 +0400 |
---|---|---|
committer | Diego Biurrun <diego@biurrun.de> | 2014-09-17 18:18:39 +0400 |
commit | d14696c99ccac12a052ce10e70859ffc0293ed6a (patch) | |
tree | dd709e347c6b232c288be56a5b28a3027e0e68a5 | |
parent | d0af7d5745f3e228293633faa9e57994f3308c31 (diff) |
apetag: Fix APE tag size check
The size variable is (correctly) unsigned, but is passed to several functions
which take signed parameters, such as avio_read, sometimes after having
numbers added to it. So ensure that size remains within the bounds that
these functions can handle.
(cherry picked from commit b45ab61b24a8f2aeafdd4451491b1b30b7875ee5)
Signed-off-by: Diego Biurrun <diego@biurrun.de>
-rw-r--r-- | libavformat/apetag.c | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/libavformat/apetag.c b/libavformat/apetag.c index d4be91c837..9616c2c85e 100644 --- a/libavformat/apetag.c +++ b/libavformat/apetag.c @@ -55,8 +55,10 @@ static int ape_tag_read_field(AVFormatContext *s) av_log(s, AV_LOG_WARNING, "Invalid APE tag key '%s'.\n", key); return -1; } - if (size >= UINT_MAX) - return -1; + if (size > INT32_MAX - FF_INPUT_BUFFER_PADDING_SIZE) { + av_log(s, AV_LOG_ERROR, "APE tag size too large.\n"); + return AVERROR_INVALIDDATA; + } if (flags & APE_TAG_FLAG_IS_BINARY) { uint8_t filename[1024]; enum AVCodecID id; |