Replace lena.pnm

[ffmpeg] / libavformat / 4xm.c

diff --git a/libavformat/4xm.c b/libavformat/4xm.c
index 1270fa332bc8b4a57d0d5745dd3144b1e702b30e..6253ffb58ee4159080a88233f73eb235a7d62fe5 100644 (file)
--- a/libavformat/4xm.c
+++ b/libavformat/4xm.c
@@ -90,11 +90,12 @@ static int fourxm_probe(AVProbeData *p)
 }
 
 static int parse_vtrk(AVFormatContext *s,
-                      FourxmDemuxContext *fourxm, uint8_t *buf, int size)
+                      FourxmDemuxContext *fourxm, uint8_t *buf, int size,
+                      int left)
 {
     AVStream *st;
     /* check that there is enough data */
-    if (size != vtrk_SIZE) {
+    if (size != vtrk_SIZE || left < size + 8) {
         return AVERROR_INVALIDDATA;
     }
 
@@ -109,8 +110,11 @@ static int parse_vtrk(AVFormatContext *s,
 
     st->codec->codec_type     = AVMEDIA_TYPE_VIDEO;
     st->codec->codec_id       = AV_CODEC_ID_4XM;
+
+    st->codec->extradata      = av_mallocz(4 + FF_INPUT_BUFFER_PADDING_SIZE);
+    if (!st->codec->extradata)
+        return AVERROR(ENOMEM);
     st->codec->extradata_size = 4;
-    st->codec->extradata      = av_malloc(4);
     AV_WL32(st->codec->extradata, AV_RL32(buf + 16));
     st->codec->width  = AV_RL32(buf + 36);
     st->codec->height = AV_RL32(buf + 40);
@@ -120,15 +124,18 @@ static int parse_vtrk(AVFormatContext *s,
 
 
 static int parse_strk(AVFormatContext *s,
-                      FourxmDemuxContext *fourxm, uint8_t *buf, int size)
+                      FourxmDemuxContext *fourxm, uint8_t *buf, int size,
+                      int left)
 {
     AVStream *st;
     int track;
     /* check that there is enough data */
-    if (size != strk_SIZE)
+    if (size != strk_SIZE || left < size + 8)
         return AVERROR_INVALIDDATA;
 
     track = AV_RL32(buf + 8);
+    if (track < 0)
+        return AVERROR_INVALIDDATA;
     if (track + 1 > fourxm->track_count) {
         if (av_reallocp_array(&fourxm->tracks, track + 1, sizeof(AudioTrack)))
             return AVERROR(ENOMEM);
@@ -144,7 +151,7 @@ static int parse_strk(AVFormatContext *s,
 
     if (fourxm->tracks[track].channels    <= 0 ||
         fourxm->tracks[track].sample_rate <= 0 ||
-        fourxm->tracks[track].bits        < 0) {
+        fourxm->tracks[track].bits        <= 0) {
         av_log(s, AV_LOG_ERROR, "audio header invalid\n");
         return AVERROR_INVALIDDATA;
     }
@@ -217,14 +224,20 @@ static int fourxm_read_header(AVFormatContext *s)
         size       = AV_RL32(&header[i + 4]);
 
         if (fourcc_tag == std__TAG) {
+            if (header_size - i < 16) {
+                ret = AVERROR_INVALIDDATA;
+                goto fail;
+            }
             fourxm->fps = av_int2float(AV_RL32(&header[i + 12]));
         } else if (fourcc_tag == vtrk_TAG) {
-            if ((ret = parse_vtrk(s, fourxm, header + i, size)) < 0)
+            if ((ret = parse_vtrk(s, fourxm, header + i, size,
+                                  header_size - i)) < 0)
                 goto fail;
 
             i += 8 + size;
         } else if (fourcc_tag == strk_TAG) {
-            if ((ret = parse_strk(s, fourxm, header + i, size)) < 0)
+            if ((ret = parse_strk(s, fourxm, header + i, size,
+                                  header_size - i)) < 0)
                 goto fail;
 
             i += 8 + size;