diff options
author | Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com> | 2016-11-08 23:29:28 +0100 |
---|---|---|
committer | Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com> | 2016-11-17 23:16:48 +0100 |
commit | 1615d83dcf6ed0401be2f8afbdd8af8d2fc56815 (patch) | |
tree | f342fbb336673314d3f76975db70c44e4aeb41c1 | |
parent | 41359d381a2b5f5057502b2839b5eb42af69804f (diff) | |
download | ffmpeg-1615d83dcf6ed0401be2f8afbdd8af8d2fc56815.tar.gz |
icodec: correctly check avio_read return value
It can read less than the requested amount, in which case buf contains
uninitialized data, causing problems like segmentation faults later on.
Also make sure that image->size is positive, so that it can't match a
negative error code.
Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 89eb398c7fc4cb9a15e55bdf2ab6435b5332e377)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
-rw-r--r-- | libavformat/icodec.c | 8 |
1 files changed, 6 insertions, 2 deletions
diff --git a/libavformat/icodec.c b/libavformat/icodec.c index fa985fb313..41a2e4b5c6 100644 --- a/libavformat/icodec.c +++ b/libavformat/icodec.c @@ -109,6 +109,10 @@ static int read_header(AVFormatContext *s) avio_skip(pb, 5); ico->images[i].size = avio_rl32(pb); + if (ico->images[i].size <= 0) { + av_log(s, AV_LOG_ERROR, "Invalid image size %d\n", ico->images[i].size); + return AVERROR_INVALIDDATA; + } ico->images[i].offset = avio_rl32(pb); if (avio_seek(pb, ico->images[i].offset, SEEK_SET) < 0) @@ -174,9 +178,9 @@ static int read_packet(AVFormatContext *s, AVPacket *pkt) bytestream_put_le16(&buf, 0); bytestream_put_le32(&buf, 0); - if ((ret = avio_read(pb, buf, image->size)) < 0) { + if ((ret = avio_read(pb, buf, image->size)) != image->size) { av_packet_unref(pkt); - return ret; + return ret < 0 ? ret : AVERROR_INVALIDDATA; } st->codecpar->bits_per_coded_sample = AV_RL16(buf + 14); |