From 5b967f56b6d85f62446836fc8ef64d0dcfcbda17 Mon Sep 17 00:00:00 2001
From: John Rummell <jrummell@chromium.org>
Date: Mon, 30 Mar 2020 21:30:33 -0700
Subject: [PATCH] libavformat/amr.c: Check return value from avio_read()

If the buffer doesn't contain enough bytes when reading a stream,
fail rather than continuing on with initialized data. Caught by
Chromium fuzzeras (crbug.com/1065731).

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/amr.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/libavformat/amr.c b/libavformat/amr.c
index eccbbde5b0..b8a5debb16 100644
--- a/libavformat/amr.c
+++ b/libavformat/amr.c
@@ -89,13 +89,15 @@ static int amr_read_header(AVFormatContext *s)
     AVStream *st;
     uint8_t header[9];
 
-    avio_read(pb, header, 6);
+    if (avio_read(pb, header, 6) != 6)
+        return AVERROR_INVALIDDATA;
 
     st = avformat_new_stream(s, NULL);
     if (!st)
         return AVERROR(ENOMEM);
     if (memcmp(header, AMR_header, 6)) {
-        avio_read(pb, header + 6, 3);
+        if (avio_read(pb, header + 6, 3) != 3)
+            return AVERROR_INVALIDDATA;
         if (memcmp(header, AMRWB_header, 9)) {
             return -1;
         }