avformat/lafdec: Check for EOF in header reading

michaelni · michaelni · commit b92260f70a4a · 2022-12-23T00:43:02.000+01:00
Fixes: OOM testcase Fixes: 51527/clusterfuzz-testcase-minimized-ffmpeg_dem_LAF_fuzzer-5453663505612800 OOM can still happen after this as an arbitrary sized block is allocated and read this would require a redesign or some limit on the sample rate. Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
diff --git a/libavformat/lafdec.c b/libavformat/lafdec.c
@@ -111,6 +111,9 @@ static int laf_read_header(AVFormatContext *ctx)
     sample_rate = avio_rl32(pb);
     duration = avio_rl64(pb) / st_count;
 
+    if (avio_feof(pb))
+        return AVERROR_INVALIDDATA;
+
     switch (quality) {
     case 0:
         codec_id = AV_CODEC_ID_PCM_U8;
