dsicinvideo: validate buffer offset before copying pixels.

[ffmpeg] / libavformat / ape.c

diff --git a/libavformat/ape.c b/libavformat/ape.c
index 8145db3a767c638e26d2901c929ac4a3d6bf30ff..19682867458e84d909f2d347abea124d81f85959 100644 (file)
--- a/libavformat/ape.c
+++ b/libavformat/ape.c
@@ -335,7 +335,6 @@ static int ape_read_header(AVFormatContext * s)
     st->codec->channels        = ape->channels;
     st->codec->sample_rate     = ape->samplerate;
     st->codec->bits_per_coded_sample = ape->bps;
-    st->codec->frame_size      = MAC_SUBFRAME_SIZE;
 
     st->nb_frames = ape->totalframes;
     st->start_time = 0;
@@ -379,6 +378,14 @@ static int ape_read_packet(AVFormatContext * s, AVPacket * pkt)
     else
         nblocks = ape->blocksperframe;
 
+    if (ape->frames[ape->currentframe].size <= 0 ||
+        ape->frames[ape->currentframe].size > INT_MAX - extra_size) {
+        av_log(s, AV_LOG_ERROR, "invalid packet size: %d\n",
+               ape->frames[ape->currentframe].size);
+        ape->currentframe++;
+        return AVERROR(EIO);
+    }
+
     if (av_new_packet(pkt,  ape->frames[ape->currentframe].size + extra_size) < 0)
         return AVERROR(ENOMEM);