| Message ID | 20201031141626.727000-3-andreas.rheinhardt@gmail.com |
|---|---|
| State | Accepted |
| Commit | d9363b56a6b134e90fff8098cbd46a642f9cf99d |
| Headers | show |
| Series | [FFmpeg-devel,v3,1/4] avformat/apngdec: Return error for incomplete header | expand |
| Context | Check | Description |
|---|---|---|
| andriy/x86_make | success | Make finished |
| andriy/x86_make_fate | success | Make fate finished |
diff --git a/libavformat/apngdec.c b/libavformat/apngdec.c index d8d0de190f..6b2ce2e251 100644 --- a/libavformat/apngdec.c +++ b/libavformat/apngdec.c @@ -226,7 +226,7 @@ static int apng_read_header(AVFormatContext *s) ctx->num_frames, ctx->num_play); break; case MKTAG('f', 'c', 'T', 'L'): - if (!acTL_found) { + if (!acTL_found || len != 26) { ret = AVERROR_INVALIDDATA; goto fail; }
Reading the header terminates when an fcTL chunk is encountered in which case read_header returned success without checking the length of said chunk. Yet when read_packet processes this chunk, it checks for the length to be 26 and errors out otherwise. So do so when reading the header, too. Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com> --- libavformat/apngdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)