X-Git-Url: https://git.sesse.net/?a=blobdiff_plain;f=libavformat%2Favs.c;h=ad5ac05988d3a925a9116fb2ebf4e4a6f29b28c2;hb=39f6733f0593064ae5148dd6484f1d7c74d7cae5;hp=89b2642c36b3eae729fbf99c897ea5411c183fde;hpb=d2a847c203b5876e2bb5f0bc216b0af625f077a2;p=ffmpeg

diff --git a/libavformat/avs.c b/libavformat/avs.c
index 89b2642c36b..ad5ac05988d 100644
--- a/libavformat/avs.c
+++ b/libavformat/avs.c
@@ -163,10 +163,14 @@ static int avs_read_packet(AVFormatContext * s, AVPacket * pkt)
             sub_type = avio_r8(s->pb);
             type = avio_r8(s->pb);
             size = avio_rl16(s->pb);
+            if (size < 4)
+                return AVERROR_INVALIDDATA;
             avs->remaining_frame_size -= size;
 
             switch (type) {
             case AVS_PALETTE:
+                if (size - 4 > sizeof(palette))
+                    return AVERROR_INVALIDDATA;
                 ret = avio_read(s->pb, palette, size - 4);
                 if (ret < size - 4)
                     return AVERROR(EIO);