diff --git a/libavformat/smush.c b/libavformat/smush.c index 4d3e1380e4..d884cfe9cd 100644 --- a/libavformat/smush.c +++ b/libavformat/smush.c @@ -207,10 +207,15 @@ static int smush_read_packet(AVFormatContext *ctx, AVPacket *pkt) done = 1; break; case MKBETAG('W', 'a', 'v', 'e'): + if (size < 13) + return AVERROR_INVALIDDATA; if (av_get_packet(pb, pkt, size) < 0) return AVERROR(EIO); pkt->stream_index = smush->audio_stream_index; + pkt->duration = AV_RB32(pkt->data); + if (pkt->duration == 0xFFFFFFFFu) + pkt->duration = AV_RB32(pkt->data + 8); done = 1; break; default: