apetag: Fix APE tag size check

The size variable is (correctly) unsigned, but is passed to several functions which take signed parameters, such as avio_read, sometimes after having numbers added to it. So ensure that size remains within the bounds that these functions can handle. (cherry picked from commit b45ab61b24a8f2aeafdd4451491b1b30b7875ee5) Signed-off-by: Diego Biurrun <diego@biurrun.de>
author: Katerina Barone-Adesi <katerinab@gmail.com> 2014-09-16 03:40:24 +0400
committer: Diego Biurrun <diego@biurrun.de> 2014-09-17 18:18:39 +0400
commit: d14696c99ccac12a052ce10e70859ffc0293ed6a (patch)
tree: dd709e347c6b232c288be56a5b28a3027e0e68a5
parent: d0af7d5745f3e228293633faa9e57994f3308c31 (diff)
1 files changed, 4 insertions, 2 deletions
diff --git a/libavformat/apetag.c b/libavformat/apetag.c
index d4be91c837..9616c2c85e 100644
--- a/libavformat/apetag.c
+++ b/libavformat/apetag.c
@@ -55,8 +55,10 @@ static int ape_tag_read_field(AVFormatContext *s)
         av_log(s, AV_LOG_WARNING, "Invalid APE tag key '%s'.\n", key);
         return -1;
     }
-    if (size >= UINT_MAX)
-        return -1;
+    if (size > INT32_MAX - FF_INPUT_BUFFER_PADDING_SIZE) {
+        av_log(s, AV_LOG_ERROR, "APE tag size too large.\n");
+        return AVERROR_INVALIDDATA;
+    }
     if (flags & APE_TAG_FLAG_IS_BINARY) {
         uint8_t filename[1024];
         enum AVCodecID id;
author	Katerina Barone-Adesi <katerinab@gmail.com>	2014-09-16 03:40:24 +0400
committer	Diego Biurrun <diego@biurrun.de>	2014-09-17 18:18:39 +0400
commit	d14696c99ccac12a052ce10e70859ffc0293ed6a (patch)
tree	dd709e347c6b232c288be56a5b28a3027e0e68a5
parent	d0af7d5745f3e228293633faa9e57994f3308c31 (diff)