avformat/vividas: check if value from ffio_read_varlen() is too big

This commit is contained in:
Paul B Mahol 2018-12-22 10:37:55 +01:00
parent 53d3a1c514
commit 297e65c676

View File

@ -618,9 +618,11 @@ static int viv_read_packet(AVFormatContext *s,
off += viv->sb_entries[viv->current_sb_entry].size;
if (viv->sb_entries[viv->current_sb_entry].flag == 0) {
int v_size = ffio_read_varlen(pb);
uint64_t v_size = ffio_read_varlen(pb);
ffio_read_varlen(pb);
if (v_size > INT_MAX)
return AVERROR_INVALIDDATA;
ret = av_get_packet(pb, pkt, v_size);
if (ret < 0)
return ret;
@ -646,8 +648,10 @@ static int viv_read_packet(AVFormatContext *s,
viv->current_audio_subpacket = 0;
} else {
int v_size = ffio_read_varlen(pb);
uint64_t v_size = ffio_read_varlen(pb);
if (v_size > INT_MAX)
return AVERROR_INVALIDDATA;
ret = av_get_packet(pb, pkt, v_size);
if (ret < 0)
return ret;