From 2dd0da787ce5008d4d1b8f461fbd1288c32e2c38 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Cl=C3=A9ment=20B=C5=93sch?= <clement.boesch@smartjog.com>
Date: Fri, 16 Nov 2012 10:21:17 +0200
Subject: [PATCH] lavf/mp3enc: make sure the header is valid before writing
 audio pkt.

An invalid header can lead avpriv_mpegaudio_decode_header() to overread
and/or div by zero.
---
 libavformat/mp3enc.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/libavformat/mp3enc.c b/libavformat/mp3enc.c
index 044eb29620..cc9f0d0919 100644
--- a/libavformat/mp3enc.c
+++ b/libavformat/mp3enc.c
@@ -262,8 +262,14 @@ static int mp3_write_audio_packet(AVFormatContext *s, AVPacket *pkt)
     if (pkt->data && pkt->size >= 4) {
         MPADecodeHeader c;
         int av_unused base;
+        uint32_t head = AV_RB32(pkt->data);
 
-        avpriv_mpegaudio_decode_header(&c, AV_RB32(pkt->data));
+        if (ff_mpa_check_header(head) < 0) {
+            av_log(s, AV_LOG_WARNING, "Audio packet of size %d (starting with %08X...) "
+                   "is invalid, writing it anyway.\n", pkt->size, head);
+            return ff_raw_write_packet(s, pkt);
+        }
+        avpriv_mpegaudio_decode_header(&c, head);
 
         if (!mp3->initial_bitrate)
             mp3->initial_bitrate = c.bit_rate;