From 297e65c676e3e59d0cbabf9bf6f87b90f8292399 Mon Sep 17 00:00:00 2001
From: Paul B Mahol <onemda@gmail.com>
Date: Sat, 22 Dec 2018 10:37:55 +0100
Subject: [PATCH] avformat/vividas: check if value from ffio_read_varlen() is
 too big

---
 libavformat/vividas.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/libavformat/vividas.c b/libavformat/vividas.c
index 9c6143d106..31f8c47ca4 100644
--- a/libavformat/vividas.c
+++ b/libavformat/vividas.c
@@ -618,9 +618,11 @@ static int viv_read_packet(AVFormatContext *s,
     off += viv->sb_entries[viv->current_sb_entry].size;
 
     if (viv->sb_entries[viv->current_sb_entry].flag == 0) {
-        int v_size = ffio_read_varlen(pb);
+        uint64_t v_size = ffio_read_varlen(pb);
 
         ffio_read_varlen(pb);
+        if (v_size > INT_MAX)
+            return AVERROR_INVALIDDATA;
         ret = av_get_packet(pb, pkt, v_size);
         if (ret < 0)
             return ret;
@@ -646,8 +648,10 @@ static int viv_read_packet(AVFormatContext *s,
         viv->current_audio_subpacket = 0;
 
     } else {
-        int v_size = ffio_read_varlen(pb);
+        uint64_t v_size = ffio_read_varlen(pb);
 
+        if (v_size > INT_MAX)
+            return AVERROR_INVALIDDATA;
         ret = av_get_packet(pb, pkt, v_size);
         if (ret < 0)
             return ret;