From f89446eaff0537bbf6e390584d32375c6b65ea2f Mon Sep 17 00:00:00 2001
From: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
Date: Mon, 4 Jul 2022 15:35:04 +0200
Subject: [PATCH] avformat/apngenc: Check fcTL size

The remaining code relies on it having the value it should have.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
---
 libavformat/apngenc.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/libavformat/apngenc.c b/libavformat/apngenc.c
index 7443c77504..1c039685f2 100644
--- a/libavformat/apngenc.c
+++ b/libavformat/apngenc.c
@@ -27,6 +27,7 @@
 #include "libavutil/intreadwrite.h"
 #include "libavutil/log.h"
 #include "libavutil/opt.h"
+#include "libavcodec/apng.h"
 #include "libavcodec/png.h"
 
 typedef struct APNGMuxContext {
@@ -181,6 +182,9 @@ static int flush_packet(AVFormatContext *format_context, AVPacket *packet)
         if (existing_fcTL_chunk) {
             AVRational delay;
 
+            if (AV_RB32(existing_fcTL_chunk) != APNG_FCTL_CHUNK_SIZE)
+                return AVERROR_INVALIDDATA;
+
             existing_fcTL_chunk += 8;
             delay.num = AV_RB16(existing_fcTL_chunk + 20);
             delay.den = AV_RB16(existing_fcTL_chunk + 22);