[FFmpeg-cvslog] avformat/vividas: check if value from ffio_read_varlen() is too big

Paul B Mahol git at videolan.org
Sat Dec 22 12:16:10 EET 2018


ffmpeg | branch: master | Paul B Mahol <onemda at gmail.com> | Sat Dec 22 10:37:55 2018 +0100| [297e65c676e3e59d0cbabf9bf6f87b90f8292399] | committer: Paul B Mahol

avformat/vividas: check if value from ffio_read_varlen() is too big

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=297e65c676e3e59d0cbabf9bf6f87b90f8292399
---

 libavformat/vividas.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/libavformat/vividas.c b/libavformat/vividas.c
index 9c6143d106..31f8c47ca4 100644
--- a/libavformat/vividas.c
+++ b/libavformat/vividas.c
@@ -618,9 +618,11 @@ static int viv_read_packet(AVFormatContext *s,
     off += viv->sb_entries[viv->current_sb_entry].size;
 
     if (viv->sb_entries[viv->current_sb_entry].flag == 0) {
-        int v_size = ffio_read_varlen(pb);
+        uint64_t v_size = ffio_read_varlen(pb);
 
         ffio_read_varlen(pb);
+        if (v_size > INT_MAX)
+            return AVERROR_INVALIDDATA;
         ret = av_get_packet(pb, pkt, v_size);
         if (ret < 0)
             return ret;
@@ -646,8 +648,10 @@ static int viv_read_packet(AVFormatContext *s,
         viv->current_audio_subpacket = 0;
 
     } else {
-        int v_size = ffio_read_varlen(pb);
+        uint64_t v_size = ffio_read_varlen(pb);
 
+        if (v_size > INT_MAX)
+            return AVERROR_INVALIDDATA;
         ret = av_get_packet(pb, pkt, v_size);
         if (ret < 0)
             return ret;



More information about the ffmpeg-cvslog mailing list