avformat/wtvdec: Fix signed integer overflow

Happens when length > INT_MAX / 2; use unsigned for the computation, but restrict the value to INT_MAX, because avio_get_str16le() accepts an int as buf_len argument. Notice that it can happen that the string read by avio_get_str16le() is truncated in this case. Reviewed-by: Peter Ross <pross@xvid.org> Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
author: Andreas Rheinhardt <andreas.rheinhardt@outlook.com> 2023-09-12 13:46:25 +0200
committer: Andreas Rheinhardt <andreas.rheinhardt@outlook.com> 2023-09-12 23:35:01 +0200
commit: 78169f397dad3d9af9cd750441e11b7e201e3949 (patch)
tree: d5c5f654c9d27a5a6c95bec07d545d5ffe23f2a1
parent: 197f7e914bc2a7113388156df5b0e617a4a3ba32 (diff)
download: ffmpeg-78169f397dad3d9af9cd750441e11b7e201e3949.tar.gz
1 files changed, 1 insertions, 1 deletions
diff --git a/libavformat/wtvdec.c b/libavformat/wtvdec.c
index 2de6dc2103..4ce4b6403e 100644
--- a/libavformat/wtvdec.c
+++ b/libavformat/wtvdec.c
@@ -468,7 +468,7 @@ static void get_tag(AVFormatContext *s, AVIOContext *pb, const char *key, int ty
         return;
     }
 
-    buf_size = FFMAX(2*length, LEN_PRETTY_GUID) + 1;
+    buf_size = FFMIN(FFMAX(2U * length, LEN_PRETTY_GUID) + 1, INT_MAX);
     buf = av_malloc(buf_size);
     if (!buf)
         return;
author	Andreas Rheinhardt <andreas.rheinhardt@outlook.com>	2023-09-12 13:46:25 +0200
committer	Andreas Rheinhardt <andreas.rheinhardt@outlook.com>	2023-09-12 23:35:01 +0200
commit	78169f397dad3d9af9cd750441e11b7e201e3949 (patch)
tree	d5c5f654c9d27a5a6c95bec07d545d5ffe23f2a1
parent	197f7e914bc2a7113388156df5b0e617a4a3ba32 (diff)
download	ffmpeg-78169f397dad3d9af9cd750441e11b7e201e3949.tar.gz