Limit fsize before adding to pointer.

This avoids a theoretically possible pointer arithmetic overflow
which would lead to a crash due to reading from NULL page.

Signed-off-by: Reimar Döffinger <Reimar.Doeffinger@gmx.de>

diff --git a/libavformat/aacdec.c b/libavformat/aacdec.c
index ded11b6..c3a5029 100644 (file)
--- a/libavformat/aacdec.c
+++ b/libavformat/aacdec.c
@@ -47,6 +47,7 @@ static int adts_aac_probe(AVProbeData *p)
             fsize = (AV_RB32(buf2 + 3) >> 13) & 0x1FFF;
             if(fsize < 7)
                 break;
+            fsize = FFMIN(fsize, end - buf2);
             buf2 += fsize;
         }
         max_frames = FFMAX(max_frames, frames);