mov: Fix overflow and error handling in read_tfra().

Under abnormal conditions the item_count may exceed the max
allocation size on 32-bit systems, this causes the allocated
size to overflow and become too small for the given count.

Additionally, if av_reallocp() fails its allocation, the
fragment_index_count is not correctly decremented.

Ensuring further havoc may be wrought, the error code for
read_tfra() is not checked upon return.

Found-by: Paul Mehta <paul@paulmehta.com>

positive return code and use of _array functions by commiter

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit db42d93a61be26873be6115c57f5921b4dfdec14)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

0 files changed, 0 insertions, 0 deletions