diff options
author | Paul B Mahol <onemda@gmail.com> | 2018-12-22 10:37:55 +0100 |
---|---|---|
committer | Paul B Mahol <onemda@gmail.com> | 2018-12-22 11:14:21 +0100 |
commit | 297e65c676e3e59d0cbabf9bf6f87b90f8292399 (patch) | |
tree | 4cd18aa63eb074cb1748f794cd13451df178108b /libavformat | |
parent | 53d3a1c514bfa5adbae87d954c04006ff6030f5b (diff) | |
download | ffmpeg-297e65c676e3e59d0cbabf9bf6f87b90f8292399.tar.gz |
avformat/vividas: check if value from ffio_read_varlen() is too big
Diffstat (limited to 'libavformat')
-rw-r--r-- | libavformat/vividas.c | 8 |
1 files changed, 6 insertions, 2 deletions
diff --git a/libavformat/vividas.c b/libavformat/vividas.c index 9c6143d106..31f8c47ca4 100644 --- a/libavformat/vividas.c +++ b/libavformat/vividas.c @@ -618,9 +618,11 @@ static int viv_read_packet(AVFormatContext *s, off += viv->sb_entries[viv->current_sb_entry].size; if (viv->sb_entries[viv->current_sb_entry].flag == 0) { - int v_size = ffio_read_varlen(pb); + uint64_t v_size = ffio_read_varlen(pb); ffio_read_varlen(pb); + if (v_size > INT_MAX) + return AVERROR_INVALIDDATA; ret = av_get_packet(pb, pkt, v_size); if (ret < 0) return ret; @@ -646,8 +648,10 @@ static int viv_read_packet(AVFormatContext *s, viv->current_audio_subpacket = 0; } else { - int v_size = ffio_read_varlen(pb); + uint64_t v_size = ffio_read_varlen(pb); + if (v_size > INT_MAX) + return AVERROR_INVALIDDATA; ret = av_get_packet(pb, pkt, v_size); if (ret < 0) return ret; |