From 342c43d154e586bc022c86b168fe8d36f69da9d3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Martin=20Storsj=C3=B6?= <martin@martin.st>
Date: Wed, 11 Sep 2013 14:54:05 +0300
Subject: [PATCH] omadec: Properly check lengths before incrementing the
 position
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
---
 libavformat/omadec.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/libavformat/omadec.c b/libavformat/omadec.c
index e49178290e..274112e5af 100644
--- a/libavformat/omadec.c
+++ b/libavformat/omadec.c
@@ -172,7 +172,11 @@ static int nprobe(AVFormatContext *s, uint8_t *enc_header, unsigned size,
     taglen  = AV_RB32(&enc_header[pos + 32]);
     datalen = AV_RB32(&enc_header[pos + 36]) >> 4;
 
-    pos += 44 + taglen;
+    pos += 44;
+    if (size - pos < taglen)
+        return -1;
+
+    pos += taglen;
 
     if (datalen << 4 > size - pos)
         return -1;