Merge commit 'b989bb7adee0f3286dcaa63c5cd0753eac45f6be' into release/0.10

* commit 'b989bb7adee0f3286dcaa63c5cd0753eac45f6be': apetag: Fix APE tag size check Merged-by: Michael Niedermayer <michaelni@gmx.at>
2015-03-11 22:05:00 +01:00 · 2015-03-11 22:05:00 +01:00 · c1f9be99d7
commit c1f9be99d7
parent c388db185c b989bb7ade
1 changed files with 4 additions and 2 deletions
--- a/libavformat/apetag.c
+++ b/libavformat/apetag.c
@ -51,8 +51,10 @@ static int ape_tag_read_field(AVFormatContext *s)
        av_log(s, AV_LOG_WARNING, "Invalid APE tag key '%s'.\n", key);
        return -1;
    }
-    if (size >= UINT_MAX)
-        return -1;
+    if (size > INT32_MAX - FF_INPUT_BUFFER_PADDING_SIZE) {
+        av_log(s, AV_LOG_ERROR, "APE tag size too large.\n");
+        return AVERROR_INVALIDDATA;
+    }
    value = av_malloc(size+1);
    if (!value)
        return AVERROR(ENOMEM);