integer overflows, heap corruption

[ffmpeg] / libavformat / matroska.c

diff --git a/libavformat/matroska.c b/libavformat/matroska.c
index fee09f41d0ad9e2127c040fe6c6ceeed17932adf..1e146d464acd788dc7f0bbbc7a9e78764a0a25fc 100644 (file)
--- a/libavformat/matroska.c
+++ b/libavformat/matroska.c
@@ -669,7 +669,7 @@ ebml_read_ascii (MatroskaDemuxContext *matroska,
 
     /* ebml strings are usually not 0-terminated, so we allocate one
      * byte more, read the string and NULL-terminate it ourselves. */
-    if (!(*str = av_malloc(size + 1))) {
+    if (size < 0 || !(*str = av_malloc(size + 1))) {
         av_log(matroska->ctx, AV_LOG_ERROR, "Memory allocation failed\n");
         return AVERROR_NOMEM;
     }
@@ -2152,8 +2152,6 @@ matroska_read_header (AVFormatContext    *s,
         MatroskaTrack *track;
         AVStream *st;
 
-        av_set_pts_info(s, 24, 1, 1000); /* 24 bit pts in ms */
-
         for (i = 0; i < matroska->num_tracks; i++) {
             track = matroska->tracks[i];
 
@@ -2230,6 +2228,9 @@ matroska_read_header (AVFormatContext    *s,
             else if (!strcmp(track->codec_id,
                              MATROSKA_CODEC_ID_AUDIO_AC3))
                 codec_id = CODEC_ID_AC3;
+            else if (!strcmp(track->codec_id,
+                             MATROSKA_CODEC_ID_AUDIO_DTS))
+                codec_id = CODEC_ID_DTS;
             /* No such codec id so far. */
 /*             else if (!strcmp(track->codec_id, */
 /*                              MATROSKA_CODEC_ID_AUDIO_DTS)) */
@@ -2257,6 +2258,7 @@ matroska_read_header (AVFormatContext    *s,
             st = av_new_stream(s, track->stream_index);
             if (st == NULL)
                 return AVERROR_NOMEM;
+            av_set_pts_info(st, 24, 1, 1000); /* 24 bit pts in ms */
 
             st->codec.codec_id = codec_id;