X-Git-Url: https://git.sesse.net/?a=blobdiff_plain;f=libavformat%2Ffitsdec.c;h=df757e868b6bfcd10aa632d7586e214f81f62bd7;hb=a04ad248a05e7b613abe09b3bb067f555108d794;hp=4b288b3903939f01c8c4e6c25e9a50b721ae4b1a;hpb=2d62e06ff6a9f3dbd78136c1dc4a315a727c6f00;p=ffmpeg

diff --git a/libavformat/fitsdec.c b/libavformat/fitsdec.c
index 4b288b39039..df757e868b6 100644
--- a/libavformat/fitsdec.c
+++ b/libavformat/fitsdec.c
@@ -24,6 +24,7 @@
  * FITS demuxer.
  */
 
+#include "libavutil/avassert.h"
 #include "libavutil/intreadwrite.h"
 #include "internal.h"
 #include "libavutil/opt.h"
@@ -39,7 +40,7 @@ typedef struct FITSContext {
     int64_t pts;
 } FITSContext;
 
-static int fits_probe(AVProbeData *p)
+static int fits_probe(const AVProbeData *p)
 {
     const uint8_t *b = p->buf;
     if (!memcmp(b, "SIMPLE  =                    T", 30))
@@ -125,14 +126,14 @@ static int64_t is_image(AVFormatContext *s, FITSContext *fits, FITSHeader *heade
     size += header->pcount;
 
     t = (abs(header->bitpix) >> 3) * ((int64_t) header->gcount);
-    if(size && t > UINT64_MAX / size)
+    if(size && t > INT64_MAX / size)
         return AVERROR_INVALIDDATA;
     size *= t;
 
     if (!size) {
         image = 0;
     } else {
-        if(FITS_BLOCK_SIZE - 1 > UINT64_MAX - size)
+        if(FITS_BLOCK_SIZE - 1 > INT64_MAX - size)
             return AVERROR_INVALIDDATA;
         size = ((size + FITS_BLOCK_SIZE - 1) / FITS_BLOCK_SIZE) * FITS_BLOCK_SIZE;
     }
@@ -157,11 +158,11 @@ static int fits_read_packet(AVFormatContext *s, AVPacket *pkt)
 
     av_bprint_init(&avbuf, FITS_BLOCK_SIZE, AV_BPRINT_SIZE_UNLIMITED);
     while ((ret = is_image(s, fits, &header, &avbuf, &size)) == 0) {
+        av_bprint_finalize(&avbuf, NULL);
         pos = avio_skip(s->pb, size);
         if (pos < 0)
             return pos;
 
-        av_bprint_finalize(&avbuf, NULL);
         av_bprint_init(&avbuf, FITS_BLOCK_SIZE, AV_BPRINT_SIZE_UNLIMITED);
         avpriv_fits_header_init(&header, STATE_XTENSION);
     }
@@ -173,6 +174,11 @@ static int fits_read_packet(AVFormatContext *s, AVPacket *pkt)
         goto fail;
     }
 
+    av_assert0(avbuf.len <= INT64_MAX && size <= INT64_MAX);
+    if (avbuf.len + size > INT_MAX - 80)  {
+        ret = AVERROR_INVALIDDATA;
+        goto fail;
+    }
     // Header is sent with the first line removed...
     ret = av_new_packet(pkt, avbuf.len - 80 + size);
     if (ret < 0)
@@ -183,7 +189,6 @@ static int fits_read_packet(AVFormatContext *s, AVPacket *pkt)
 
     ret = av_bprint_finalize(&avbuf, &buf);
     if (ret < 0) {
-        av_packet_unref(pkt);
         return ret;
     }
 
@@ -192,7 +197,6 @@ static int fits_read_packet(AVFormatContext *s, AVPacket *pkt)
     av_freep(&buf);
     ret = avio_read(s->pb, pkt->data + pkt->size, size);
     if (ret < 0) {
-        av_packet_unref(pkt);
         return ret;
     }