When encountering a nonsensical chunk size such as (guint)-1, error out cleanly instead of
continuing and trying to g_memdup() 4GB of data that doesn't exist, which will either abort
in g_malloc() or crash.
Fixes #553295, crash with fuzzed AVI file.
GST_DEBUG_OBJECT (element, "fourcc=%" GST_FOURCC_FORMAT ", size=%u",
GST_FOURCC_ARGS (fourcc), size);
+ /* be paranoid: size may be nonsensical value here, such as (guint) -1 */
+ if (G_UNLIKELY (size > G_MAXINT))
+ goto bogus_size;
+
if (bufsize < size + 8 + offset) {
GST_DEBUG_OBJECT (element,
"Needed chunk data (%d) is more than available (%d), shortcutting",
offset, bufsize, 8);
return FALSE;
}
+bogus_size:
+ {
+ GST_ERROR_OBJECT (element, "Broken file: bogus chunk size %u", size);
+ return FALSE;
+ }
}
/**