avcodec/cfhd: Check the number of tag/value pairs

[ffmpeg] / libavcodec / cfhd.c

diff --git a/libavcodec/cfhd.c b/libavcodec/cfhd.c
index 2436aae249d53edcbf433f66efb01b10481aef77..5ecfcefba5c88017fb8ef9cb3116ff186b64e034 100644 (file)
--- a/libavcodec/cfhd.c
+++ b/libavcodec/cfhd.c
@@ -344,6 +344,11 @@ static int cfhd_decode(AVCodecContext *avctx, void *data, int *got_frame,
             break;
         } else if (tag == 2) {
             av_log(avctx, AV_LOG_DEBUG, "tag=2 header - skipping %i tag/value pairs\n", data);
+            if (data > bytestream2_get_bytes_left(&gb) / 4) {
+                av_log(avctx, AV_LOG_ERROR, "too many tag/value pairs (%d)\n", data);
+                ret = AVERROR_INVALIDDATA;
+                break;
+            }
             for (i = 0; i < data; i++) {
                 uint16_t tag2 = bytestream2_get_be16(&gb);
                 uint16_t val2 = bytestream2_get_be16(&gb);