ffmpeg | branch: master | Paul B Mahol <one...@gmail.com> | Sat Dec 22 10:37:55 2018 +0100| [297e65c676e3e59d0cbabf9bf6f87b90f8292399] | committer: Paul B Mahol
avformat/vividas: check if value from ffio_read_varlen() is too big > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=297e65c676e3e59d0cbabf9bf6f87b90f8292399 --- libavformat/vividas.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/libavformat/vividas.c b/libavformat/vividas.c index 9c6143d106..31f8c47ca4 100644 --- a/libavformat/vividas.c +++ b/libavformat/vividas.c @@ -618,9 +618,11 @@ static int viv_read_packet(AVFormatContext *s, off += viv->sb_entries[viv->current_sb_entry].size; if (viv->sb_entries[viv->current_sb_entry].flag == 0) { - int v_size = ffio_read_varlen(pb); + uint64_t v_size = ffio_read_varlen(pb); ffio_read_varlen(pb); + if (v_size > INT_MAX) + return AVERROR_INVALIDDATA; ret = av_get_packet(pb, pkt, v_size); if (ret < 0) return ret; @@ -646,8 +648,10 @@ static int viv_read_packet(AVFormatContext *s, viv->current_audio_subpacket = 0; } else { - int v_size = ffio_read_varlen(pb); + uint64_t v_size = ffio_read_varlen(pb); + if (v_size > INT_MAX) + return AVERROR_INVALIDDATA; ret = av_get_packet(pb, pkt, v_size); if (ret < 0) return ret; _______________________________________________ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
