Check that the header size fits in the stream. (#2123) BUG=b/335555272

commit: 961e4fe8db159779a210fcb8e15e522a8ff203a2 [log] [tgz]
author: Vincent Rabaud <vrabaud@google.com> Thu Apr 18 17:59:06 2024 +0200
committer: GitHub <noreply@github.com> Thu Apr 18 17:59:06 2024 +0200
tree: 6786b57a7de62a87df42c2954829a80a506f1276
parent: 89f9b3a1b08ea0a82600af0d615c5b242323bc0b [diff]
diff --git a/CHANGELOG.md b/CHANGELOG.md
index df2ffb8..b6aa1a2 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md

@@ -100,6 +100,7 @@
   index_size.
 * 'infe' boxes with an item_type different from 'mime' and without a
   null-terminated item_name are now considered invalid as per ISO/IEC 14496-12.
+* Fix missing header size check (b/335555272).
 
 ## [1.0.4] - 2024-02-08
 

diff --git a/src/read.c b/src/read.c
index d7c2b60..5e6b73c 100644
--- a/src/read.c
+++ b/src/read.c

@@ -4105,6 +4105,7 @@
         // Either there is no brand requiring anything in the file but a FileTypebox (so not AVIF), or it is invalid.
         return AVIF_FALSE;
     }
+    AVIF_CHECK(avifROStreamHasBytesLeft(&s, header.size));
 
     avifFileType ftyp;
     memset(&ftyp, 0, sizeof(avifFileType));
commit	961e4fe8db159779a210fcb8e15e522a8ff203a2	[log] [tgz]
author	Vincent Rabaud <vrabaud@google.com>	Thu Apr 18 17:59:06 2024 +0200
committer	GitHub <noreply@github.com>	Thu Apr 18 17:59:06 2024 +0200
tree	6786b57a7de62a87df42c2954829a80a506f1276
parent	89f9b3a1b08ea0a82600af0d615c5b242323bc0b [diff]