avformat/iff: check for possible overflow in 2nd argument of av_new_packet

Signed-off-by: Paul B Mahol <onemda@gmail.com>
2015-09-25 21:21:24 +02:00 · 2015-09-25 21:21:24 +02:00 · aff3acc54c
commit aff3acc54c
parent 428424fe75
1 changed files with 4 additions and 0 deletions
--- a/libavformat/iff.c
+++ b/libavformat/iff.c
@ -721,11 +721,15 @@ static int iff_read_packet(AVFormatContext *s,
        if (st->codec->codec_tag == ID_DSD || st->codec->codec_tag == ID_MAUD) {
            ret = av_get_packet(pb, pkt, FFMIN(iff->body_end - pos, 1024 * st->codec->block_align));
        } else {
+            if (iff->body_size > INT_MAX)
+                return AVERROR_INVALIDDATA;
            ret = av_get_packet(pb, pkt, iff->body_size);
        }
    } else if (st->codec->codec_type == AVMEDIA_TYPE_VIDEO) {
        uint8_t *buf;

+        if (iff->body_size > INT_MAX - 2)
+            return AVERROR_INVALIDDATA;
        if (av_new_packet(pkt, iff->body_size + 2) < 0) {
            return AVERROR(ENOMEM);
        }