From be2fd1735a9f70305e333fd50c3f8a4a280c96c9 Mon Sep 17 00:00:00 2001
From: Urvang Joshi <urvang@google.com>
Date: Wed, 23 Jan 2013 00:49:37 +0000
Subject: [PATCH] Mux: fix a scenario with bad ANMF/FRGM size

When a ANMF/FRGM chunk size (read from file) is smaller than ANMF/FRGM header
size (which is constant and implicit), the parser should report an error.

Change-Id: I91d71889937f5133a97f1e83d5254cb2d7f37028
---
 src/mux/muxread.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/mux/muxread.c b/src/mux/muxread.c
index 526c3002..8a3ff12f 100644
--- a/src/mux/muxread.c
+++ b/src/mux/muxread.c
@@ -92,6 +92,9 @@ static int MuxImageParse(const WebPChunk* const chunk, int copy_data,
     const size_t hdr_size = (chunk->tag_ == kChunks[IDX_ANMF].tag) ?
         ANMF_CHUNK_SIZE : FRGM_CHUNK_SIZE;
     const WebPData temp = { bytes, hdr_size };
+    // Each of ANMF and FRGM chunk contain a header at the beginning. So, its
+    // size should at least be 'hdr_size'.
+    if (size < hdr_size) goto Fail;
     ChunkAssignData(&subchunk, &temp, copy_data, chunk->tag_);
   }
   ChunkSetNth(&subchunk, &wpi->header_, 1);