uint64_t orig_pos = avio_tell(pb);
const char * metadata_tag = NULL;
+ if (size >= INT64_MAX)
+ return AVERROR_INVALIDDATA;
+
switch(tag) {
case MKTAG('D','I','A','R'): metadata_tag = "artist"; break;
case MKTAG('D','I','T','I'): metadata_tag = "title"; break;
uint64_t size = avio_rb64(pb);
uint64_t orig_pos = avio_tell(pb);
+ if (size >= INT64_MAX)
+ return AVERROR_INVALIDDATA;
+
switch(tag) {
case MKTAG('A','B','S','S'):
if (size < 8)
break;
case MKTAG('I','D','3',' '):
- id3v2_extra_meta = NULL;
ff_id3v2_read(s, ID3v2_DEFAULT_MAGIC, &id3v2_extra_meta, size);
if (id3v2_extra_meta) {
if ((ret = ff_id3v2_parse_apic(s, id3v2_extra_meta)) < 0 ||
data_size = iff->is_64bit ? avio_rb64(pb) : avio_rb32(pb);
data_pos = avio_tell(pb);
- if (data_size < 1)
+ if (data_size < 1 || data_size >= INT64_MAX)
return AVERROR_INVALIDDATA;
switch (chunk_id) {
data_size = iff->is_64bit ? avio_rb64(pb) : avio_rb32(pb);
orig_pos = avio_tell(pb);
+ if (data_size >= INT64_MAX)
+ return AVERROR_INVALIDDATA;
+
switch(chunk_id) {
case ID_VHDR:
st->codecpar->codec_type = AVMEDIA_TYPE_AUDIO;
st->codecpar->bits_per_coded_sample = av_get_bits_per_sample(st->codecpar->codec_id);
st->codecpar->bit_rate = (int64_t)st->codecpar->channels * st->codecpar->sample_rate * st->codecpar->bits_per_coded_sample;
st->codecpar->block_align = st->codecpar->channels * st->codecpar->bits_per_coded_sample;
- if (st->codecpar->codec_tag == ID_DSD && st->codecpar->block_align <= 0)
+ if ((st->codecpar->codec_tag == ID_DSD || st->codecpar->codec_tag == ID_MAUD) && st->codecpar->block_align <= 0)
return AVERROR_INVALIDDATA;
break;
} else if (st->codecpar->codec_tag == ID_DST) {
return read_dst_frame(s, pkt);
} else {
- if (iff->body_size > INT_MAX)
+ if (iff->body_size > INT_MAX || !iff->body_size)
return AVERROR_INVALIDDATA;
ret = av_get_packet(pb, pkt, iff->body_size);
}
pkt->flags |= AV_PKT_FLAG_KEY;
} else if (st->codecpar->codec_type == AVMEDIA_TYPE_VIDEO &&
st->codecpar->codec_tag != ID_ANIM) {
+ if (iff->body_size > INT_MAX || !iff->body_size)
+ return AVERROR_INVALIDDATA;
ret = av_get_packet(pb, pkt, iff->body_size);
pkt->pos = pos;
if (pos == iff->body_pos)