From 213b8aa0a90585f13aebb7fba39cbd3e367e98a6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Martin=20Storsj=C3=B6?= <martin@martin.st>
Date: Sat, 28 Sep 2013 23:46:04 +0300
Subject: [PATCH] bfi: Add some very basic sanity checks for input packet sizes
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 640a2427aafa774b83316b7a8c5c2bdc28bfd269)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit 10f384e4f5d0ee692cacaf90d629d8bc2178b092)
---
 libavformat/bfi.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/libavformat/bfi.c b/libavformat/bfi.c
index c0b5681744..326c1f3e83 100644
--- a/libavformat/bfi.c
+++ b/libavformat/bfi.c
@@ -130,6 +130,10 @@ static int bfi_read_packet(AVFormatContext * s, AVPacket * pkt)
         video_offset    = avio_rl32(pb);
         audio_size      = video_offset - audio_offset;
         bfi->video_size = chunk_size - video_offset;
+        if (audio_size < 0 || bfi->video_size < 0) {
+            av_log(s, AV_LOG_ERROR, "Invalid audio/video offsets or chunk size\n");
+            return AVERROR_INVALIDDATA;
+        }
 
         //Tossing an audio packet at the audio decoder.
         ret = av_get_packet(pb, pkt, audio_size);