avformat/vividas: check if value from ffio_read_varlen() is too big

297e65c6 · Paul B Mahol · 53d3a1c5 · 297e65c6
隐藏空白更改
内联并排

Showing with 6 addition and 2 deletion

libavformat/vividas.c libavformat/vividas.c +6 -2

未找到文件。
--- a/libavformat/vividas.c
+++ b/libavformat/vividas.c
@@ -618,9 +618,11 @@ static int viv_read_packet(AVFormatContext *s,
    off += viv->sb_entries[viv->current_sb_entry].size;

    if (viv->sb_entries[viv->current_sb_entry].flag == 0) {
-        int v_size = ffio_read_varlen(pb);
+        uint64_t v_size = ffio_read_varlen(pb);

        ffio_read_varlen(pb);
+        if (v_size > INT_MAX)
+            return AVERROR_INVALIDDATA;
        ret = av_get_packet(pb, pkt, v_size);
        if (ret < 0)
            return ret;
@@ -646,8 +648,10 @@ static int viv_read_packet(AVFormatContext *s,
        viv->current_audio_subpacket = 0;

    } else {
-        int v_size = ffio_read_varlen(pb);
+        uint64_t v_size = ffio_read_varlen(pb);

+        if (v_size > INT_MAX)
+            return AVERROR_INVALIDDATA;
        ret = av_get_packet(pb, pkt, v_size);
        if (ret < 0)
            return ret;