avformat/mpc8: fix hang with fuzzed file

This can lead to an endless loop by seeking back a few bytes after each
attempted chunk read. Assuming negative sizes are always invalid, this
is easy to fix. Other code in this demuxer treats negative sizes as
invalid as well.

Fixes ticket #4262.

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Gbp-Pq: Name CVE-2019-14442.patch

diff --git a/libavformat/mpc8.c b/libavformat/mpc8.c
index 3564e81c3231855db2c5abc0f58631301e42714c..4b12219e8d36f04fe31f23bc1ce3e21f07ccbfe8 100644 (file)
--- a/libavformat/mpc8.c
+++ b/libavformat/mpc8.c
@@ -216,6 +216,10 @@ static int mpc8_read_header(AVFormatContext *s)
     while(!pb->eof_reached){
         pos = avio_tell(pb);
         mpc8_get_chunk_header(pb, &tag, &size);
+        if (size < 0) {
+            av_log(s, AV_LOG_ERROR, "Invalid chunk length\n");
+            return AVERROR_INVALIDDATA;
+        }
         if(tag == TAG_STREAMHDR)
             break;
         mpc8_handle_chunk(s, tag, pos, size);