avformat/tta: fix crash with corrupted files

av_add_index_entry() can fail, for example because the parameters are invalid, or because memory allocation fails. Check this; it can actually happen with corrupted files. The second hunk is just for robustness. Just in case functions like ff_reduce_index() remove entries. (Not sure if this can actually happen.) Fixes ticket #4294. Reviewed-by: Paul B Mahol <[email protected]> Signed-off-by: Michael Niedermayer <[email protected]> (cherry picked from commit 6a0cd52) Signed-off-by: Michael Niedermayer <[email protected]>
luzi82 · Mar 13, 2015 · 0a3371f · 0a3371f
1 parent a1fec9d
commit 0a3371f
Showing 1 changed file with 9 additions and 2 deletions.
diff --git a/libavformat/tta.c b/libavformat/tta.c
@@ -96,8 +96,10 @@ static int tta_read_header(AVFormatContext *s)
 
     for (i = 0; i < c->totalframes; i++) {
         uint32_t size = avio_rl32(s->pb);
-        av_add_index_entry(st, framepos, i * c->frame_size, size, 0,
-                           AVINDEX_KEYFRAME);
+        int r;
+        if ((r = av_add_index_entry(st, framepos, i * c->frame_size, size, 0,
+                                    AVINDEX_KEYFRAME)) < 0)
+            return r;
         framepos += size;
     }
     avio_skip(s->pb, 4); // seektable crc
@@ -135,6 +137,11 @@ static int tta_read_packet(AVFormatContext *s, AVPacket *pkt)
     if (c->currentframe >= c->totalframes)
         return AVERROR_EOF;
 
+    if (st->nb_index_entries < c->totalframes) {
+        av_log(s, AV_LOG_ERROR, "Index entry disappeared\n");
+        return AVERROR_INVALIDDATA;
+    }
+
     size = st->index_entries[c->currentframe].size;
 
     ret = av_get_packet(s->pb, pkt, size);