From 689a8674131c3852fc78eff1d7c044850d263e22 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michael@niedermayer.cc>
Date: Fri, 4 Dec 2015 18:48:39 +0100
Subject: [PATCH] avformat/msf: Check channels when reading the header

Fixes integer overflow
Fixes: 0c2625f236ced104d402b4a03c0d65c7/asan_generic_274e1ce_5990_9314e7a67c26aecf011b178ade9f217c.avi

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/msf.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavformat/msf.c b/libavformat/msf.c
index 1d9c999158..73a5a0157d 100644
--- a/libavformat/msf.c
+++ b/libavformat/msf.c
@@ -51,7 +51,7 @@ static int msf_read_header(AVFormatContext *s)
     st->codec->codec_type  = AVMEDIA_TYPE_AUDIO;
     codec                  = avio_rb32(s->pb);
     st->codec->channels    = avio_rb32(s->pb);
-    if (st->codec->channels <= 0)
+    if (st->codec->channels <= 0 || st->codec->channels >= INT_MAX / 1024)
         return AVERROR_INVALIDDATA;
     size = avio_rb32(s->pb);
     st->codec->sample_rate = avio_rb32(s->pb);