ac4dec: Check remaining space in ac4_probe()

Michael Niedermayer Wed, 22 May 2024 18:18:20 -0700

Fixes: CID1538298 Untrusted loop bound
Fixes: undefined behavior

Sponsored-by: Sovereign Tech Fund
Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc>
---
 libavformat/ac4dec.c | 2 ++
 1 file changed, 2 insertions(+)


diff --git a/libavformat/ac4dec.c b/libavformat/ac4dec.c
index f647f557ccd..dc6638de3a4 100644
--- a/libavformat/ac4dec.c
+++ b/libavformat/ac4dec.c
@@ -43,6 +43,8 @@ static int ac4_probe(const AVProbeData *p)
             size += 4;
             if (buf[1] == 0x41)
                 size += 2;
+            if (left < size)
+                break;
             max_frames++;
             left -= size;
             buf += size;
-- 
2.45.1

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".

[FFmpeg-devel] [PATCH 2/7] avformat/ac4dec: Check remaining space in ac4_probe()

Reply via email to