avformat/aadec: Check toc_size to contain the minimum to demuxer uses

Fixes: out of array access Fixes: stack-buffer-overflow-READ-0x0831fff1 Found-by: GalyCannon <galycannon@gmail.com> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit daa2482871dffa9af12fa6d874a3d2dedd73f42e) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2020-04-07 12:04:25 +02:00 · 2020-04-07 12:04:25 +02:00 · 862801c68c
commit 862801c68c
parent 6f582f69df
1 changed files with 1 additions and 1 deletions
--- a/libavformat/aadec.c
+++ b/libavformat/aadec.c
@ -92,7 +92,7 @@ static int aa_read_header(AVFormatContext *s)
    avio_skip(pb, 4); // magic string
    toc_size = avio_rb32(pb); // TOC size
    avio_skip(pb, 4); // unidentified integer
-    if (toc_size > MAX_TOC_ENTRIES)
+    if (toc_size > MAX_TOC_ENTRIES || toc_size < 2)
        return AVERROR_INVALIDDATA;
    for (i = 0; i < toc_size; i++) { // read TOC
        avio_skip(pb, 4); // TOC entry index