diff --git a/libavformat/apngenc.c b/libavformat/apngenc.c index 7443c77504..1c039685f2 100644 --- a/libavformat/apngenc.c +++ b/libavformat/apngenc.c @@ -27,6 +27,7 @@ #include "libavutil/intreadwrite.h" #include "libavutil/log.h" #include "libavutil/opt.h" +#include "libavcodec/apng.h" #include "libavcodec/png.h" typedef struct APNGMuxContext { @@ -181,6 +182,9 @@ static int flush_packet(AVFormatContext *format_context, AVPacket *packet) if (existing_fcTL_chunk) { AVRational delay; + if (AV_RB32(existing_fcTL_chunk) != APNG_FCTL_CHUNK_SIZE) + return AVERROR_INVALIDDATA; + existing_fcTL_chunk += 8; delay.num = AV_RB16(existing_fcTL_chunk + 20); delay.den = AV_RB16(existing_fcTL_chunk + 22);