From 99fe4c577fc88dc7421b6aa6837e65401b5e56db Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Martin=20Storsj=C3=B6?= <martin@martin.st>
Date: Thu, 19 Sep 2013 17:02:36 +0300
Subject: [PATCH] r3d: Add more input value validation
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>

Conflicts:
	libavformat/r3d.c
---
 libavformat/r3d.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/libavformat/r3d.c b/libavformat/r3d.c
index a4cb20add2..543043e9c9 100644
--- a/libavformat/r3d.c
+++ b/libavformat/r3d.c
@@ -87,7 +87,7 @@ static int r3d_read_red1(AVFormatContext *s)
 
     framerate.num = avio_rb16(s->pb);
     framerate.den = avio_rb16(s->pb);
-    if (framerate.num && framerate.den) {
+    if (framerate.num > 0 && framerate.den > 0) {
 #if FF_API_R_FRAME_RATE
         st->r_frame_rate =
 #endif
@@ -286,6 +286,10 @@ static int r3d_read_reda(AVFormatContext *s, AVPacket *pkt, Atom *atom)
     dts = avio_rb32(s->pb);
 
     st->codec->sample_rate = avio_rb32(s->pb);
+    if (st->codec->sample_rate <= 0) {
+        av_log(s, AV_LOG_ERROR, "Bad sample rate\n");
+        return AVERROR_INVALIDDATA;
+    }
 
     samples = avio_rb32(s->pb);