From 5a50a2c1739edb410c2887fa334638fd7f6e388c Mon Sep 17 00:00:00 2001
From: Kostya Shishkov <kostya.shishkov@gmail.com>
Date: Sat, 14 Feb 2026 18:33:13 +0100
Subject: [PATCH] avi: reject chunks larger than remaining movi size

---
 nihav-commonfmt/src/demuxers/avi.rs | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/nihav-commonfmt/src/demuxers/avi.rs b/nihav-commonfmt/src/demuxers/avi.rs
index 44d68f8..40290ab 100644
--- a/nihav-commonfmt/src/demuxers/avi.rs
+++ b/nihav-commonfmt/src/demuxers/avi.rs
@@ -609,6 +609,10 @@ impl<'a> DemuxCore<'a> for AVIDemuxer<'a> {
             let is_keyframe = self.state.key_offs.binary_search(&self.src.tell()).is_ok();
             let tag = self.src.read_tag()?;
             let size = self.src.read_u32le()? as usize;
+            if size > self.state.movi_size {
+                self.state.movi_size = 0;
+                return Err(InvalidData);
+            }
             match &tag {
                 b"JUNK" => {
                     self.state.movi_size -= size + 8;
-- 
2.39.5