--- libavformat/swfdec.c.orig 2012-10-02 14:58:19.000000000 +0200 +++ libavformat/swfdec.c 2012-12-12 12:17:34.480049142 +0100 @@ -151,7 +151,11 @@ uint64_t pos = avio_tell(pb); tag = get_swf_tag(pb, &len); if (tag < 0) - return tag; + return AVERROR(EIO); + if (len < 0) { + av_log(s, AV_LOG_ERROR, "invalid tag length: %d\n", len); + return AVERROR_INVALIDDATA; + } if (tag == TAG_VIDEOSTREAM) { int ch_id = avio_rl16(pb); len -= 2; @@ -207,7 +211,10 @@ st = s->streams[i]; if (st->codec->codec_type == AVMEDIA_TYPE_VIDEO && st->id == ch_id) { frame = avio_rl16(pb); - if ((res = av_get_packet(pb, pkt, len-2)) < 0) + len -= 2; + if (len <= 0) + goto skip; + if ((res = av_get_packet(pb, pkt, len)) < 0) return res; pkt->pos = pos; pkt->pts = frame; @@ -219,17 +226,22 @@ for (i = 0; i < s->nb_streams; i++) { st = s->streams[i]; if (st->codec->codec_type == AVMEDIA_TYPE_AUDIO && st->id == -1) { - if (st->codec->codec_id == AV_CODEC_ID_MP3) { - avio_skip(pb, 4); - if ((res = av_get_packet(pb, pkt, len-4)) < 0) - return res; - } else { // ADPCM, PCM - if ((res = av_get_packet(pb, pkt, len)) < 0) - return res; - } - pkt->pos = pos; - pkt->stream_index = st->index; - return pkt->size; + if (st->codec->codec_id == AV_CODEC_ID_MP3) { + avio_skip(pb, 4); + len -= 4; + if (len <= 0) + goto skip; + if ((res = av_get_packet(pb, pkt, len)) < 0) + return res; + } else { // ADPCM, PCM + if (len <= 0) + goto skip; + if ((res = av_get_packet(pb, pkt, len)) < 0) + return res; + } + pkt->pos = pos; + pkt->stream_index = st->index; + return pkt->size; } } } else if (tag == TAG_JPEG2) { @@ -249,7 +261,10 @@ st = vst; } avio_rl16(pb); /* BITMAP_ID */ - if ((res = av_new_packet(pkt, len-2)) < 0) + len -= 2; + if (len < 4) + goto skip; + if ((res = av_new_packet(pkt, len)) < 0) return res; avio_read(pb, pkt->data, 4); if (AV_RB32(pkt->data) == 0xffd8ffd9 || @@ -266,6 +281,7 @@ return pkt->size; } skip: + len = FFMAX(0, len); avio_skip(pb, len); } }