[Backport] Security bug 1054229

Backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/third_party/ffmpeg/+/2108824:
Check that ogg stream contains enough data while checking codec

If the buffer doesn't contain enough bytes when replacing a stream,
fail rather than continuing on with unitialized data.

Bug: 1054229
Test: Failing fuzzer test passes locally
Change-Id: Ieee9484159a9a3715dca62ffaff3a9c6817694d3
Reviewed-by: Chrome Cunningham <chcunningham@chromium.org>
Reviewed-by: Michal Klocek <michal.klocek@qt.io>

1 files changed, 5 insertions, 0 deletions

diff --git a/chromium/third_party/ffmpeg/libavformat/oggdec.c b/chromium/third_party/ffmpeg/libavformat/oggdec.c
index 59f3bad76c4..5e53ebf8a56 100644
--- a/chromium/third_party/ffmpeg/libavformat/oggdec.c
+++ b/chromium/third_party/ffmpeg/libavformat/oggdec.c
@@ -222,7 +222,12 @@ static int ogg_replace_stream(AVFormatContext *s, uint32_t serial, int nsegs)
         uint8_t magic[8];
         int64_t pos = avio_tell(s->pb);
         avio_skip(s->pb, nsegs);
+#if 0  // Chromium: Check size. http://crbug.com/1054229
         avio_read(s->pb, magic, sizeof(magic));
+#else
+        if (avio_read(s->pb, magic, sizeof(magic)) != sizeof(magic))
+            return AVERROR_INVALIDDATA;
+#endif
         avio_seek(s->pb, pos, SEEK_SET);
         codec = ogg_find_codec(magic, sizeof(magic));
         if (!codec) {