avformat/id3v2: Sanity check tlen before alloc and uncompress

[ffmpeg] / libavformat / mvi.c

diff --git a/libavformat/mvi.c b/libavformat/mvi.c
index 9f90faf56b8463d202de802fb6723127c4131bdc..06c9cfe3f057c4c5ae5ec136e39f2d62d99b41ad 100644 (file)
--- a/libavformat/mvi.c
+++ b/libavformat/mvi.c
@@ -45,6 +45,7 @@ static int read_header(AVFormatContext *s)
     AVIOContext *pb = s->pb;
     AVStream *ast, *vst;
     unsigned int version, frames_count, msecs_per_frame, player_version;
+    int ret;
 
     ast = avformat_new_stream(s, NULL);
     if (!ast)
@@ -54,8 +55,8 @@ static int read_header(AVFormatContext *s)
     if (!vst)
         return AVERROR(ENOMEM);
 
-    if (ff_alloc_extradata(vst->codecpar, 2))
-        return AVERROR(ENOMEM);
+    if ((ret = ff_alloc_extradata(vst->codecpar, 2)) < 0)
+        return ret;
 
     version                  = avio_r8(pb);
     vst->codecpar->extradata[0] = avio_r8(pb);
@@ -122,6 +123,8 @@ static int read_packet(AVFormatContext *s, AVPacket *pkt)
         count = (mvi->audio_size_counter + mvi->audio_frame_size + 512) >> MVI_FRAC_BITS;
         if (count > mvi->audio_size_left)
             count = mvi->audio_size_left;
+        if ((int64_t)count << MVI_FRAC_BITS > INT_MAX)
+            return AVERROR_INVALIDDATA;
         if ((ret = av_get_packet(pb, pkt, count)) < 0)
             return ret;
         pkt->stream_index = MVI_AUDIO_STREAM_INDEX;