Fixes: out of array access
Fixes: 29446/clusterfuzz-testcase-minimized-ffmpeg_dem_AAC_fuzzer-5096222622875648
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
/* mimetype */
if (isv34) {
- taglen -= avio_get_str(pb, taglen, mimetype, sizeof(mimetype));
+ int ret = avio_get_str(pb, taglen, mimetype, sizeof(mimetype));
+ if (ret < 0 || ret >= taglen)
+ goto fail;
+ taglen -= ret;
} else {
if (avio_read(pb, mimetype, 3) < 0)
goto fail;