1 files changed, 24 insertions, 3 deletions

diff --git a/src/input/libreal/rmff.c b/src/input/libreal/rmff.c
index 8142246b6..d4b6ad2e1 100644
--- a/src/input/libreal/rmff.c
+++ b/src/input/libreal/rmff.c
@@ -334,12 +334,14 @@ static rmff_prop_t *rmff_scan_prop(const char *data) {
   return prop;
 }
 
-static rmff_mdpr_t *rmff_scan_mdpr(const char *data) {
-
-  rmff_mdpr_t *mdpr = malloc(sizeof(rmff_mdpr_t));
+static rmff_mdpr_t *rmff_scan_mdpr(const char *data)
+{
+  rmff_mdpr_t *mdpr = calloc(sizeof(rmff_mdpr_t), 1);
 
   mdpr->object_id=_X_BE_32(data);
   mdpr->size=_X_BE_32(&data[4]);
+  if (mdpr->size < 46)
+    goto fail;
   mdpr->object_version=_X_BE_16(&data[8]);
   if (mdpr->object_version != 0)
   {
@@ -355,15 +357,34 @@ static rmff_mdpr_t *rmff_scan_mdpr(const char *data) {
   mdpr->duration=_X_BE_32(&data[36]);
   
   mdpr->stream_name_size=data[40];
+  if (mdpr->size < 46 + mdpr->stream_name_size)
+    goto fail;
   mdpr->stream_name = xine_memdup0(&data[41], mdpr->stream_name_size);
+  if (!mdpr->stream_name)
+    goto fail;
   
   mdpr->mime_type_size=data[41+mdpr->stream_name_size];
+  if (mdpr->size < 46 + mdpr->stream_name_size + mdpr->mime_type_size)
+    goto fail;
   mdpr->mime_type = xine_memdup0(&data[42+mdpr->stream_name_size], mdpr->mime_type_size);
+  if (!mdpr->mime_type)
+    goto fail;
   
   mdpr->type_specific_len=_X_BE_32(&data[42+mdpr->stream_name_size+mdpr->mime_type_size]);
+  if (mdpr->size < 46 + mdpr->stream_name_size + mdpr->mime_type_size + mdpr->type_specific_data)
+    goto fail;
   mdpr->type_specific_data = xine_memdup(&data[46+mdpr->stream_name_size+mdpr->mime_type_size], mdpr->type_specific_len);
+  if (!mdpr->type_specific_data)
+    goto fail;
   
   return mdpr;
+
+fail:
+  free (mdpr->stream_name);
+  free (mdpr->mime_type);
+  free (mdpr->type_specific_data);
+  free (mdpr);
+  return NULL;
 }
 
 static rmff_cont_t *rmff_scan_cont(const char *data) {