From 86e574928536ee5249d9cf4da9f5d8714611d706 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michaelni@gmx.at>
Date: Tue, 28 Oct 2014 16:42:05 +0100
Subject: [PATCH] avformat/mvdec: Check size for validity in var_read_string()

Fixes out of array read
Fixes: asan_heap-oob_49b1e5_12_011.movie
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
---
 libavformat/mvdec.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/libavformat/mvdec.c b/libavformat/mvdec.c
index 6e7c3ffd11..0f09498b2b 100644
--- a/libavformat/mvdec.c
+++ b/libavformat/mvdec.c
@@ -57,7 +57,12 @@ static int mv_probe(AVProbeData *p)
 static char *var_read_string(AVIOContext *pb, int size)
 {
     int n;
-    char *str = av_malloc(size + 1);
+    char *str;
+
+    if (size < 0 || size == INT_MAX)
+        return NULL;
+
+    str = av_malloc(size + 1);
     if (!str)
         return NULL;
     n = avio_get_str(pb, size, str, size + 1);