avformat/rmdec: check that buf if completely filled

Fixes: use of uninitialized value
Fixes: 70988/clusterfuzz-testcase-minimized-ffmpeg_dem_IVR_fuzzer-5298245077630976

Signed-off-by: Michael Niedermayer <[email protected]>
(cherry picked from commit 9578c135d00dd9cc01491b8559d7fad5a387e90d)
Signed-off-by: Michael Niedermayer <[email protected]>

diff --git a/libavformat/rmdec.c b/libavformat/rmdec.c
index d66ee15040be2c94389aed4e69b20387f41e6e26..c64accb9568caf2d161fe54acd5c4e020fb86669 100644 (file)
--- a/libavformat/rmdec.c
+++ b/libavformat/rmdec.c
@@ -189,7 +189,8 @@ static int rm_read_audio_stream_info(AVFormatContext *s, AVIOContext *pb,
         st->codecpar->channels = avio_rb16(pb);
         if (version == 5) {
             ast->deint_id = avio_rl32(pb);
-            avio_read(pb, buf, 4);
+            if (avio_read(pb, buf, 4) != 4)
+                return AVERROR_INVALIDDATA;
             buf[4] = 0;
         } else {
             AV_WL32(buf, 0);