From 5e9a56a0350c518cd4b38845aff49d41a9c952ae Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michaelni@gmx.at>
Date: Sun, 25 Dec 2011 12:31:23 +0100
Subject: [PATCH] shorten: validate values in fmt chunk search

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
---
 libavcodec/shorten.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/libavcodec/shorten.c b/libavcodec/shorten.c
index 1906c69de1..ef58aaa6aa 100644
--- a/libavcodec/shorten.c
+++ b/libavcodec/shorten.c
@@ -205,7 +205,7 @@ static int decode_wave_header(AVCodecContext *avctx, const uint8_t *header,
 {
     int len;
     short wave_format;
-
+    const uint8_t *end= header + header_size;
 
     if (bytestream_get_le32(&header) != MKTAG('R','I','F','F')) {
         av_log(avctx, AV_LOG_ERROR, "missing RIFF tag\n");
@@ -221,6 +221,8 @@ static int decode_wave_header(AVCodecContext *avctx, const uint8_t *header,
 
     while (bytestream_get_le32(&header) != MKTAG('f','m','t',' ')) {
         len = bytestream_get_le32(&header);
+        if(len<0 || end - header - 8 < len)
+            return AVERROR_INVALIDDATA;
         header += len;
     }
     len = bytestream_get_le32(&header);