From a55a70644872027fdf76a75edf12a09c9008880f Mon Sep 17 00:00:00 2001
From: Andreas Cadhalpun <andreas.cadhalpun@googlemail.com>
Date: Wed, 6 May 2015 02:26:57 +0200
Subject: [PATCH] avi: Validate sample_size

And either error out or set it to 0 if it is negative.

CC: libav-stable@libav.org
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
---
 libavformat/avidec.c | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/libavformat/avidec.c b/libavformat/avidec.c
index c24a6c4..54c4814 100644
--- a/libavformat/avidec.c
+++ b/libavformat/avidec.c
@@ -569,6 +569,23 @@ static int avi_read_header(AVFormatContext *s)
                 av_log(s, AV_LOG_ERROR, "unknown stream type %X\n", tag1);
                 goto fail;
             }
+
+            if (ast->sample_size < 0) {
+                if (s->error_recognition & AV_EF_EXPLODE) {
+                    av_log(s, AV_LOG_ERROR,
+                           "Invalid sample_size %d at stream %d\n",
+                           ast->sample_size,
+                           stream_index);
+                    goto fail;
+                }
+                av_log(s, AV_LOG_WARNING,
+                       "Invalid sample_size %d at stream %d "
+                       "setting it to 0\n",
+                       ast->sample_size,
+                       stream_index);
+                ast->sample_size = 0;
+            }
+
             if (ast->sample_size == 0)
                 st->duration = st->nb_frames;
             ast->frame_offset = ast->cum_len;
-- 
2.7.4