From aff3acc54c079c2e5720dae150b0d963fd8a9ab0 Mon Sep 17 00:00:00 2001
From: Paul B Mahol <onemda@gmail.com>
Date: Fri, 25 Sep 2015 21:21:24 +0200
Subject: [PATCH] avformat/iff: check for possible overflow in 2nd argument of
 av_new_packet

Signed-off-by: Paul B Mahol <onemda@gmail.com>
---
 libavformat/iff.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/libavformat/iff.c b/libavformat/iff.c
index 8ea3b38ac6..5973cde8fe 100644
--- a/libavformat/iff.c
+++ b/libavformat/iff.c
@@ -721,11 +721,15 @@ static int iff_read_packet(AVFormatContext *s,
         if (st->codec->codec_tag == ID_DSD || st->codec->codec_tag == ID_MAUD) {
             ret = av_get_packet(pb, pkt, FFMIN(iff->body_end - pos, 1024 * st->codec->block_align));
         } else {
+            if (iff->body_size > INT_MAX)
+                return AVERROR_INVALIDDATA;
             ret = av_get_packet(pb, pkt, iff->body_size);
         }
     } else if (st->codec->codec_type == AVMEDIA_TYPE_VIDEO) {
         uint8_t *buf;
 
+        if (iff->body_size > INT_MAX - 2)
+            return AVERROR_INVALIDDATA;
         if (av_new_packet(pkt, iff->body_size + 2) < 0) {
             return AVERROR(ENOMEM);
         }