From 3d922c84622e7bf8603390b154630c3d62b93b12 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tomas=20H=C3=A4rdin?= Date: Tue, 17 May 2011 19:52:36 +0200 Subject: [PATCH] Make sure neither data_size nor sample_count is negative --- libavformat/wav.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavformat/wav.c b/libavformat/wav.c index 1832bc9660..6b1e574a6e 100644 --- a/libavformat/wav.c +++ b/libavformat/wav.c @@ -238,6 +238,12 @@ static int wav_read_header(AVFormatContext *s, avio_rl64(pb); /* RIFF size */ data_size = avio_rl64(pb); sample_count = avio_rl64(pb); + if (data_size < 0 || sample_count < 0) { + av_log(s, AV_LOG_ERROR, "negative data_size and/or sample_count in " + "ds64: data_size = %li, sample_count = %li\n", + data_size, sample_count); + return AVERROR_INVALIDDATA; + } avio_skip(pb, size - 16); /* skip rest of ds64 chunk */ }