Check that the header size fits in the stream. (#2123)
BUG=b/335555272
diff --git a/CHANGELOG.md b/CHANGELOG.md
index df2ffb8..b6aa1a2 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -100,6 +100,7 @@
index_size.
* 'infe' boxes with an item_type different from 'mime' and without a
null-terminated item_name are now considered invalid as per ISO/IEC 14496-12.
+* Fix missing header size check (b/335555272).
## [1.0.4] - 2024-02-08
diff --git a/src/read.c b/src/read.c
index d7c2b60..5e6b73c 100644
--- a/src/read.c
+++ b/src/read.c
@@ -4105,6 +4105,7 @@
// Either there is no brand requiring anything in the file but a FileTypebox (so not AVIF), or it is invalid.
return AVIF_FALSE;
}
+ AVIF_CHECK(avifROStreamHasBytesLeft(&s, header.size));
avifFileType ftyp;
memset(&ftyp, 0, sizeof(avifFileType));