[Backport] Security bug 1065731

Backport of patch originally committed to ffmpeg:
libavformat/amr.c: Check return value from avio_read()

If the buffer doesn't contain enough bytes when reading a stream,
fail rather than continuing on with initialized data. Caught by
Chromium fuzzeras (crbug.com/1065731).

Change-Id: I6fc8f1f2abddb6ed1e4aaf36da174c4912aa252a
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>

1 files changed, 4 insertions, 2 deletions

diff --git a/chromium/third_party/ffmpeg/libavformat/amr.c b/chromium/third_party/ffmpeg/libavformat/amr.c
index 42840a50a30..a963eb3ded7 100644
--- a/chromium/third_party/ffmpeg/libavformat/amr.c
+++ b/chromium/third_party/ffmpeg/libavformat/amr.c
@@ -90,13 +90,15 @@ static int amr_read_header(AVFormatContext *s)
     AVStream *st;
     uint8_t header[9];
 
-    avio_read(pb, header, 6);
+    if (avio_read(pb, header, 6) != 6)
+        return AVERROR_INVALIDDATA;
 
     st = avformat_new_stream(s, NULL);
     if (!st)
         return AVERROR(ENOMEM);
     if (memcmp(header, AMR_header, 6)) {
-        avio_read(pb, header + 6, 3);
+        if (avio_read(pb, header + 6, 3) != 3)
+            return AVERROR_INVALIDDATA;
         if (memcmp(header, AMRWB_header, 9)) {
             return -1;
         }