avformat/mpc8: fix hang with fuzzed file

This can lead to an endless loop by seeking back a few bytes after each attempted chunk read. Assuming negative sizes are always invalid, this is easy to fix. Other code in this demuxer treats negative sizes as invalid as well. Fixes ticket #4262. Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
2015-02-03 19:04:12 +01:00 · 2015-02-03 19:04:12 +01:00 · 56cc024220
commit 56cc024220
parent e93d3a22cb
1 changed files with 4 additions and 0 deletions
--- a/libavformat/mpc8.c
+++ b/libavformat/mpc8.c
@ -223,6 +223,10 @@ static int mpc8_read_header(AVFormatContext *s)
    while(!avio_feof(pb)){
        pos = avio_tell(pb);
        mpc8_get_chunk_header(pb, &tag, &size);
+        if (size < 0) {
+            av_log(s, AV_LOG_ERROR, "Invalid chunk length\n");
+            return AVERROR_INVALIDDATA;
+        }
        if(tag == TAG_STREAMHDR)
            break;
        mpc8_handle_chunk(s, tag, pos, size);