From f7e616959aff8706edccdae763c24c897c449f6f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Martin=20Storsj=C3=B6?= <martin@martin.st>
Date: Fri, 20 Sep 2013 12:26:45 +0300
Subject: [PATCH] electronicarts: Check packet sizes before reading
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
---
 libavformat/electronicarts.c | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/libavformat/electronicarts.c b/libavformat/electronicarts.c
index e764bd96eb..b0e0674ad8 100644
--- a/libavformat/electronicarts.c
+++ b/libavformat/electronicarts.c
@@ -555,10 +555,16 @@ static int ea_read_packet(AVFormatContext *s, AVPacket *pkt)
             case AV_CODEC_ID_ADPCM_EA_R1:
             case AV_CODEC_ID_ADPCM_EA_R2:
             case AV_CODEC_ID_ADPCM_IMA_EA_EACS:
-                pkt->duration = AV_RL32(pkt->data);
-                break;
             case AV_CODEC_ID_ADPCM_EA_R3:
-                pkt->duration = AV_RB32(pkt->data);
+                if (pkt->size < 4) {
+                    av_log(s, AV_LOG_ERROR, "Packet is too short\n");
+                    av_free_packet(pkt);
+                    return AVERROR_INVALIDDATA;
+                }
+                if (ea->audio_codec == AV_CODEC_ID_ADPCM_EA_R3)
+                    pkt->duration = AV_RB32(pkt->data);
+                else
+                    pkt->duration = AV_RL32(pkt->data);
                 break;
             case AV_CODEC_ID_ADPCM_IMA_EA_SEAD:
                 pkt->duration = ret * 2 / ea->num_channels;