X-Git-Url: https://git.sesse.net/?a=blobdiff_plain;f=libavformat%2F4xm.c;h=6a227a0b0d2c81d1931d33e14132129c8f8c4f27;hb=2a19232c1996fee52a3f4201fa379001627dcc89;hp=ead6d2b4243a83d80c3931c03605f27a5bb3fab0;hpb=f05f210526a3dc2d9fa6b1c228e3907ebd1d43c6;p=ffmpeg

diff --git a/libavformat/4xm.c b/libavformat/4xm.c
index ead6d2b4243..6a227a0b0d2 100644
--- a/libavformat/4xm.c
+++ b/libavformat/4xm.c
@@ -59,8 +59,10 @@
 #define GET_LIST_HEADER() \
     fourcc_tag = avio_rl32(pb); \
     size       = avio_rl32(pb); \
-    if (fourcc_tag != LIST_TAG) \
-        return AVERROR_INVALIDDATA; \
+    if (fourcc_tag != LIST_TAG) { \
+        ret = AVERROR_INVALIDDATA; \
+        goto fail; \
+    } \
     fourcc_tag = avio_rl32(pb);
 
 typedef struct AudioTrack {
@@ -81,7 +83,7 @@ typedef struct FourxmDemuxContext {
     AVRational fps;
 } FourxmDemuxContext;
 
-static int fourxm_probe(AVProbeData *p)
+static int fourxm_probe(const AVProbeData *p)
 {
     if ((AV_RL32(&p->buf[0]) != RIFF_TAG) ||
         (AV_RL32(&p->buf[8]) != FOURXMV_TAG))
@@ -210,12 +212,13 @@ static int fourxm_read_header(AVFormatContext *s)
     unsigned int size;
     int header_size;
     FourxmDemuxContext *fourxm = s->priv_data;
-    unsigned char *header;
+    unsigned char *header = NULL;
     int i, ret;
 
     fourxm->track_count = 0;
     fourxm->tracks      = NULL;
     fourxm->fps         = (AVRational){1,1};
+    fourxm->video_stream_index = -1;
 
     /* skip the first 3 32-bit numbers */
     avio_skip(pb, 12);
@@ -241,7 +244,8 @@ static int fourxm_read_header(AVFormatContext *s)
         size       = AV_RL32(&header[i + 4]);
         if (size > header_size - i - 8 && (fourcc_tag == vtrk_TAG || fourcc_tag == strk_TAG)) {
             av_log(s, AV_LOG_ERROR, "chunk larger than array %d>%d\n", size, header_size - i - 8);
-            return AVERROR_INVALIDDATA;
+            ret = AVERROR_INVALIDDATA;
+            goto fail;
         }
 
         if (fourcc_tag == std__TAG) {
@@ -321,8 +325,12 @@ static int fourxm_read_packet(AVFormatContext *s,
         case cfr2_TAG:
             /* allocate 8 more bytes than 'size' to account for fourcc
              * and size */
-            if (size + 8 < size || av_new_packet(pkt, size + 8))
-                return AVERROR(EIO);
+            if (size > INT_MAX - AV_INPUT_BUFFER_PADDING_SIZE - 8)
+                return AVERROR_INVALIDDATA;
+            if (fourxm->video_stream_index < 0)
+                return AVERROR_INVALIDDATA;
+            if ((ret = av_new_packet(pkt, size + 8)) < 0)
+                return ret;
             pkt->stream_index = fourxm->video_stream_index;
             pkt->pts          = fourxm->video_pts;
             pkt->pos          = avio_tell(s->pb);
@@ -346,7 +354,7 @@ static int fourxm_read_packet(AVFormatContext *s,
                 fourxm->tracks[track_number].channels > 0) {
                 ret = av_get_packet(s->pb, pkt, size);
                 if (ret < 0)
-                    return AVERROR(EIO);
+                    return ret;
                 pkt->stream_index =
                     fourxm->tracks[track_number].stream_index;
                 pkt->pts    = fourxm->tracks[track_number].audio_pts;