Merge commit '58170b027144f4840018c7a60fb8d07924cc6242'

[ffmpeg] / libavformat / nutdec.c

diff --git a/libavformat/nutdec.c b/libavformat/nutdec.c
index 286d1eee3057cf037ac8eb1cdfaf192e6ca4c13d..4df6a57a6720b143f43abf071f466bb52c5b7d79 100644 (file)
--- a/libavformat/nutdec.c
+++ b/libavformat/nutdec.c
@@ -934,7 +934,7 @@ static int read_sm_data(AVFormatContext *s, AVIOContext *bc, AVPacket *pkt, int
                 return ret;
             }
             value_len = ffio_read_varlen(bc);
-            if (avio_tell(bc) + value_len >= maxpos)
+            if (value_len < 0 || value_len >= maxpos - avio_tell(bc))
                 return AVERROR_INVALIDDATA;
             if (!strcmp(name, "Palette")) {
                 dst = av_packet_new_side_data(pkt, AV_PKT_DATA_PALETTE, value_len);
@@ -1133,7 +1133,8 @@ static int decode_frame(NUTContext *nut, AVPacket *pkt, int frame_code)
     ret = av_new_packet(pkt, size + nut->header_len[header_idx]);
     if (ret < 0)
         return ret;
-    memcpy(pkt->data, nut->header[header_idx], nut->header_len[header_idx]);
+    if (nut->header[header_idx])
+        memcpy(pkt->data, nut->header[header_idx], nut->header_len[header_idx]);
     pkt->pos = avio_tell(bc); // FIXME
     if (stc->last_flags & FLAG_SM_DATA) {
         int sm_size;