From 71d0cfff15ea89b63124a9eaf8032c27d7f2a99a Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michaelni@gmx.at>
Date: Tue, 6 Jan 2015 04:29:10 +0100
Subject: [PATCH] avformat/mov: fix integer overflow in mov_read_udta_string()

Found-by: Paul Mehta <paul@paulmehta.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 3859868c75313e318ebc5d0d33baada62d45dd75)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
---
 libavformat/mov.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavformat/mov.c b/libavformat/mov.c
index 02b8aeb856..bfc5c44d87 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -385,7 +385,7 @@ static int mov_read_udta_string(MOVContext *c, AVIOContext *pb, MOVAtom atom)
 
     if (!key)
         return 0;
-    if (atom.size < 0)
+    if (atom.size < 0 || str_size >= INT_MAX/2)
         return AVERROR_INVALIDDATA;
 
     str_size = FFMIN3(sizeof(str)-1, str_size, atom.size);