avformat/wtvdec: Skip too big tags

get_tag() is not designed with negative length in mind; in this case, it will allocate a very small buffer (LEN_PRETTY_GUID + 1) and might call avio_get_str16le() with a negative maxlen (which relies on these parameters to be signed). Reviewed-by: Peter Ross <pross@xvid.org> Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
1 year ago · 197f7e914b
parent c461ee39f9
commit 197f7e914b
1 changed files with 1 additions and 1 deletions
--- a/libavformat/wtvdec.c
+++ b/libavformat/wtvdec.c
@ -539,7 +539,7 @@ static void parse_legacy_attrib(AVFormatContext *s, AVIOContext *pb)
        ff_get_guid(pb, &guid);
        type   = avio_rl32(pb);
        length = avio_rl32(pb);
-        if (!length)
+        if (length <= 0)
            break;
        if (ff_guidcmp(&guid, ff_metadata_guid)) {
            av_log(s, AV_LOG_WARNING, "unknown guid "FF_PRI_GUID", expected metadata_guid; "