avformat/aadec: Check toc_size to contain the minimum to demuxer uses

Fixes: out of array access
Fixes: stack-buffer-overflow-READ-0x0831fff1
Found-by: GalyCannon <galycannon@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

diff --git a/libavformat/aadec.c b/libavformat/aadec.c
index b9dd51ebfc3da00eac322f95a081872f35365e90..63f8176a570efaefc43b23d1cc35e6c5e7de18ce 100644 (file)
--- a/libavformat/aadec.c
+++ b/libavformat/aadec.c
@@ -92,7 +92,7 @@ static int aa_read_header(AVFormatContext *s)
     avio_skip(pb, 4); // magic string
     toc_size = avio_rb32(pb); // TOC size
     avio_skip(pb, 4); // unidentified integer
-    if (toc_size > MAX_TOC_ENTRIES)
+    if (toc_size > MAX_TOC_ENTRIES || toc_size < 2)
         return AVERROR_INVALIDDATA;
     for (i = 0; i < toc_size; i++) { // read TOC
         avio_skip(pb, 4); // TOC entry index