avformat/vividas: check if value from ffio_read_varlen() is too big

6 years ago · 297e65c676
parent 53d3a1c514
commit 297e65c676
1 changed files with 6 additions and 2 deletions
--- a/libavformat/vividas.c
+++ b/libavformat/vividas.c
@ -618,9 +618,11 @@ static int viv_read_packet(AVFormatContext *s,
    off += viv->sb_entries[viv->current_sb_entry].size;

    if (viv->sb_entries[viv->current_sb_entry].flag == 0) {
-        int v_size = ffio_read_varlen(pb);
+        uint64_t v_size = ffio_read_varlen(pb);

        ffio_read_varlen(pb);
+        if (v_size > INT_MAX)
+            return AVERROR_INVALIDDATA;
        ret = av_get_packet(pb, pkt, v_size);
        if (ret < 0)
            return ret;
@ -646,8 +648,10 @@ static int viv_read_packet(AVFormatContext *s,
        viv->current_audio_subpacket = 0;

    } else {
-        int v_size = ffio_read_varlen(pb);
+        uint64_t v_size = ffio_read_varlen(pb);

+        if (v_size > INT_MAX)
+            return AVERROR_INVALIDDATA;
        ret = av_get_packet(pb, pkt, v_size);
        if (ret < 0)
            return ret;