flvdec: Check the avio_seek return value after reading a metadata packet

merge from libav: 585dc1aecef0371ad6f16cb3750ae2a6da9cf00a

If the metadata packet is corrupted, flv_read_metabody can accidentally
read past the start of the next packet. If the start of the  next packet
had been flushed out of the IO buffer, we would be unable to seek to
the right position (on a nonseekable stream).

Prefer to clearly error out instead of silently  trying to read from a
desynced stream which will only be interpreted as garbage.

diff --git a/libavformat/flvdec.c b/libavformat/flvdec.c
index 2e70352c5374c65b8b71e55a2aabe6e19063bc72..2d89bef15f25b3d29722bdf5885a3af1d0a2004c 100644 (file)
--- a/libavformat/flvdec.c
+++ b/libavformat/flvdec.c
@@ -1015,7 +1015,13 @@ retry:
                    "Skipping flv packet: type %d, size %d, flags %d.\n",
                    type, size, flags);
 skip:
-            avio_seek(s->pb, next, SEEK_SET);
+            if (avio_seek(s->pb, next, SEEK_SET) != next) {
+                 // This can happen if flv_read_metabody above read past
+                 // next, on a non-seekable input, and the preceding data has
+                 // been flushed out from the IO buffer.
+                 av_log(s, AV_LOG_ERROR, "Unable to seek to the next packet\n");
+                 return AVERROR_INVALIDDATA;
+            }
             ret = FFERROR_REDO;
             goto leave;
         }