From 0780fe27404c24d58bf9b2a3b928d885772bc702 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michaelni@gmx.at>
Date: Mon, 7 Jan 2013 21:31:40 +0100
Subject: rmdec: Limit videobufsize to remaining amount of data

Fixes excessive memory allocation

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
---
 libavformat/rmdec.c | 5 +++++
 1 file changed, 5 insertions(+)

(limited to 'libavformat/rmdec.c')

diff --git a/libavformat/rmdec.c b/libavformat/rmdec.c
index 3b476ff..ee1e0ff 100644
--- a/libavformat/rmdec.c
+++ b/libavformat/rmdec.c
@@ -25,6 +25,7 @@
 #include "libavutil/intreadwrite.h"
 #include "libavutil/dict.h"
 #include "avformat.h"
+#include "avio_internal.h"
 #include "internal.h"
 #include "rmsipr.h"
 #include "rm.h"
@@ -696,6 +697,10 @@ static int rm_assemble_video_frame(AVFormatContext *s, AVIOContext *pb,
 
     *pseq = seq;
     if((seq & 0x7F) == 1 || vst->curpic_num != pic_num){
+        if (len2 > ffio_limit(pb, len2)) {
+            av_log(s, AV_LOG_ERROR, "Impossibly sized packet\n");
+            return AVERROR_INVALIDDATA;
+        }
         vst->slices = ((hdr & 0x3F) << 1) + 1;
         vst->videobufsize = len2 + 8*vst->slices + 1;
         av_free_packet(&vst->pkt); //FIXME this should be output.
-- 
cgit v1.1