From 3ac119bbe2c360e28c087cf3852ea769d611b120 Mon Sep 17 00:00:00 2001
From: Vincent Penquerc'h <vincent.penquerch@collabora.co.uk>
Date: Fri, 20 Mar 2015 09:07:35 +0000
Subject: [PATCH] wavparse: clip chunk length to available data (when known)

This prevents silly chunk lengths from possibly overflowing
(at least when we know the actual data length).

https://bugzilla.gnome.org/show_bug.cgi?id=722567
---
 gst/wavparse/gstwavparse.c | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/gst/wavparse/gstwavparse.c b/gst/wavparse/gstwavparse.c
index 0aa24c2c4b..35562a81bc 100644
--- a/gst/wavparse/gstwavparse.c
+++ b/gst/wavparse/gstwavparse.c
@@ -1261,8 +1261,14 @@ gst_wavparse_stream_headers (GstWavParse * wav)
     }
 
     GST_INFO_OBJECT (wav,
-        "Got TAG: %" GST_FOURCC_FORMAT ", offset %" G_GUINT64_FORMAT,
-        GST_FOURCC_ARGS (tag), wav->offset);
+        "Got TAG: %" GST_FOURCC_FORMAT ", offset %" G_GUINT64_FORMAT ", size %"
+        G_GUINT32_FORMAT, GST_FOURCC_ARGS (tag), wav->offset, size);
+
+    /* Clip to upstream size if known */
+    if (wav->datasize > 0 && size + wav->offset > wav->datasize) {
+      GST_WARNING_OBJECT (wav, "Clipping chunk size to file size");
+      size = wav->datasize - wav->offset;
+    }
 
     /* wav is a st00pid format, we don't know for sure where data starts.
      * So we have to go bit by bit until we find the 'data' header