mpc8: Check the seek table size parsed from the bitstream

Limit the size to INT_MAX/2 (for simplicity) to be sure that size + FF_INPUT_BUFFER_PADDING_SIZE won't overflow. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö <martin@martin.st>

mpc8: Check the seek table size parsed from the bitstream
459f2b39 · Martin Storsjö · 0d61f260 · 459f2b39
Commit 459f2b39 authored 11 years ago by Martin Storsjö
--- a/libavformat/mpc8.c
+++ b/libavformat/mpc8.c
@@ -145,6 +145,10 @@ static void mpc8_parse_seektable(AVFormatContext *s, int64_t off)
        av_log(s, AV_LOG_ERROR, "No seek table at given position\n");
        return;
    }
+    if (size < 0 || size >= INT_MAX / 2) {
+        av_log(s, AV_LOG_ERROR, "Bad seek table size\n");
+        return;
+    }
    if(!(buf = av_malloc(size + FF_INPUT_BUFFER_PADDING_SIZE)))
        return;
    avio_read(s->pb, buf, size);