typedef struct MviDemuxContext {
unsigned int (*get_int)(AVIOContext *);
- uint32_t audio_data_size;
uint64_t audio_size_counter;
uint64_t audio_frame_size;
int audio_size_left;
AVIOContext *pb = s->pb;
AVStream *ast, *vst;
unsigned int version, frames_count, msecs_per_frame, player_version;
+ int ret;
+ int audio_data_size;
ast = avformat_new_stream(s, NULL);
if (!ast)
if (!vst)
return AVERROR(ENOMEM);
- if (ff_alloc_extradata(vst->codecpar, 2))
- return AVERROR(ENOMEM);
+ if ((ret = ff_alloc_extradata(vst->codecpar, 2)) < 0)
+ return ret;
version = avio_r8(pb);
vst->codecpar->extradata[0] = avio_r8(pb);
vst->codecpar->height = avio_rl16(pb);
avio_r8(pb);
ast->codecpar->sample_rate = avio_rl16(pb);
- mvi->audio_data_size = avio_rl32(pb);
+ audio_data_size = avio_rl32(pb);
avio_r8(pb);
player_version = avio_rl32(pb);
avio_rl16(pb);
avio_r8(pb);
- if (frames_count == 0 || mvi->audio_data_size == 0)
+ if (frames_count == 0 || audio_data_size <= 0)
return AVERROR_INVALIDDATA;
if (version != 7 || player_version > 213) {
vst->codecpar->codec_type = AVMEDIA_TYPE_VIDEO;
vst->codecpar->codec_id = AV_CODEC_ID_MOTIONPIXELS;
- mvi->get_int = (vst->codecpar->width * vst->codecpar->height < (1 << 16)) ? avio_rl16 : avio_rl24;
+ mvi->get_int = (vst->codecpar->width * (int64_t)vst->codecpar->height < (1 << 16)) ? avio_rl16 : avio_rl24;
- mvi->audio_frame_size = ((uint64_t)mvi->audio_data_size << MVI_FRAC_BITS) / frames_count;
+ mvi->audio_frame_size = ((uint64_t)audio_data_size << MVI_FRAC_BITS) / frames_count;
if (mvi->audio_frame_size <= 1 << MVI_FRAC_BITS - 1) {
av_log(s, AV_LOG_ERROR,
- "Invalid audio_data_size (%"PRIu32") or frames_count (%u)\n",
- mvi->audio_data_size, frames_count);
+ "Invalid audio_data_size (%d) or frames_count (%u)\n",
+ audio_data_size, frames_count);
return AVERROR_INVALIDDATA;
}
mvi->audio_size_counter = (ast->codecpar->sample_rate * 830 / mvi->audio_frame_size - 1) * mvi->audio_frame_size;
- mvi->audio_size_left = mvi->audio_data_size;
+ mvi->audio_size_left = audio_data_size;
return 0;
}
mvi->video_frame_size = (mvi->get_int)(pb);
if (mvi->audio_size_left == 0)
return AVERROR(EIO);
+ if (mvi->audio_size_counter + 512 > UINT64_MAX - mvi->audio_frame_size ||
+ mvi->audio_size_counter + 512 + mvi->audio_frame_size >= ((uint64_t)INT32_MAX) << MVI_FRAC_BITS)
+ return AVERROR_INVALIDDATA;
+
count = (mvi->audio_size_counter + mvi->audio_frame_size + 512) >> MVI_FRAC_BITS;
if (count > mvi->audio_size_left)
count = mvi->audio_size_left;
+ if ((int64_t)count << MVI_FRAC_BITS > INT_MAX)
+ return AVERROR_INVALIDDATA;
if ((ret = av_get_packet(pb, pkt, count)) < 0)
return ret;
pkt->stream_index = MVI_AUDIO_STREAM_INDEX;