From ae09db1023083cbc99009c9f16e83e159d0ea040 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 19 Dec 2013 17:14:59 +0100 Subject: [PATCH] avformat/dxa: check avio_read() return Fixes use of uninitialized memory Fixes msan_uninit-mem_7fd4d4323ddd_2453_MUSOSP1.dxa Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer --- libavformat/dxa.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/libavformat/dxa.c b/libavformat/dxa.c index 22ee2a97a5..5b2d7c0cbe 100644 --- a/libavformat/dxa.c +++ b/libavformat/dxa.c @@ -169,7 +169,10 @@ static int dxa_read_packet(AVFormatContext *s, AVPacket *pkt) } avio_seek(s->pb, c->vidpos, SEEK_SET); while(!url_feof(s->pb) && c->frames){ - avio_read(s->pb, buf, 4); + if ((ret = avio_read(s->pb, buf, 4)) != 4) { + av_log(s, AV_LOG_ERROR, "failed reading chunk type\n"); + return ret < 0 ? ret : AVERROR_INVALIDDATA; + } switch(AV_RL32(buf)){ case MKTAG('N', 'U', 'L', 'L'): if(av_new_packet(pkt, 4 + pal_size) < 0) @@ -187,7 +190,10 @@ static int dxa_read_packet(AVFormatContext *s, AVPacket *pkt) avio_read(s->pb, pal + 4, 768); break; case MKTAG('F', 'R', 'A', 'M'): - avio_read(s->pb, buf + 4, DXA_EXTRA_SIZE - 4); + if ((ret = avio_read(s->pb, buf + 4, DXA_EXTRA_SIZE - 4)) != DXA_EXTRA_SIZE - 4) { + av_log(s, AV_LOG_ERROR, "failed reading dxa_extra\n"); + return ret < 0 ? ret : AVERROR_INVALIDDATA; + } size = AV_RB32(buf + 5); if(size > 0xFFFFFF){ av_log(s, AV_LOG_ERROR, "Frame size is too big: %d\n", size);