diff mbox series

[FFmpeg-devel,v3,3/4] avformat/apngdec: Check fcTL chunk length when reading header

Message ID 20201031141626.727000-3-andreas.rheinhardt@gmail.com
State Accepted
Commit d9363b56a6b134e90fff8098cbd46a642f9cf99d
Headers show
Series [FFmpeg-devel,v3,1/4] avformat/apngdec: Return error for incomplete header
Related show


Context Check Description
andriy/x86_make success Make finished
andriy/x86_make_fate success Make fate finished

Commit Message

Andreas Rheinhardt Oct. 31, 2020, 2:16 p.m. UTC
Reading the header terminates when an fcTL chunk is encountered in which
case read_header returned success without checking the length of said
chunk. Yet when read_packet processes this chunk, it checks for the
length to be 26 and errors out otherwise. So do so when reading the header,

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
 libavformat/apngdec.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
diff mbox series


diff --git a/libavformat/apngdec.c b/libavformat/apngdec.c
index d8d0de190f..6b2ce2e251 100644
--- a/libavformat/apngdec.c
+++ b/libavformat/apngdec.c
@@ -226,7 +226,7 @@  static int apng_read_header(AVFormatContext *s)
                                     ctx->num_frames, ctx->num_play);
         case MKTAG('f', 'c', 'T', 'L'):
-            if (!acTL_found) {
+            if (!acTL_found || len != 26) {
                ret = AVERROR_INVALIDDATA;
                goto fail;