X-Git-Url: https://git.sesse.net/?a=blobdiff_plain;f=libavformat%2Fomadec.c;h=1cd8fdf9d5d44b2348a8c367bd24a6bb8acf655c;hb=31dfe20dd2fe16c2a3a6816d140b8a32dbdc06ba;hp=a62b560504f30a86ce742faaf1be83cf2a698f78;hpb=0ebd83617fe008b7e9766f659cc3d9618b2d80d2;p=ffmpeg

diff --git a/libavformat/omadec.c b/libavformat/omadec.c
index a62b560504f..1cd8fdf9d5d 100644
--- a/libavformat/omadec.c
+++ b/libavformat/omadec.c
@@ -219,6 +219,12 @@ static int decrypt_init(AVFormatContext *s, ID3v2ExtraMeta *em, uint8_t *header)
         av_log(s, AV_LOG_ERROR, "Invalid encryption header\n");
         return -1;
     }
+    if (   OMA_ENC_HEADER_SIZE + oc->k_size + oc->e_size + oc->i_size + 8 > geob->datasize
+        || OMA_ENC_HEADER_SIZE + 48 > geob->datasize
+    ) {
+        av_log(s, AV_LOG_ERROR, "Too little GEOB data\n");
+        return AVERROR_INVALIDDATA;
+    }
     oc->rid = AV_RB32(&gdata[OMA_ENC_HEADER_SIZE + 28]);
     av_log(s, AV_LOG_DEBUG, "RID: %.8x\n", oc->rid);
 
@@ -377,7 +383,7 @@ static int oma_read_packet(AVFormatContext *s, AVPacket *pkt)
 
     if (oc->encrypted) {
         /* previous unencrypted block saved in IV for the next packet (CBC mode) */
-        av_des_crypt(&oc->av_des, pkt->data, pkt->data, (packet_size >> 3), oc->iv, 1);
+        av_des_crypt(&oc->av_des, pkt->data, pkt->data, (ret >> 3), oc->iv, 1);
     }
 
     return ret;