X-Git-Url: https://git.sesse.net/?a=blobdiff_plain;f=libavformat%2Fidroqdec.c;h=8fd67a6818b37c0c0742bb57e3603100948b41a0;hb=91ed4e71967f19824237de4c374f038b543c7555;hp=b66427968f810a708ae56c27b1d20e663da58abe;hpb=1398ded7a77b2057a3e9983e3df512855b7ff0eb;p=ffmpeg

diff --git a/libavformat/idroqdec.c b/libavformat/idroqdec.c
index b66427968f8..8fd67a6818b 100644
--- a/libavformat/idroqdec.c
+++ b/libavformat/idroqdec.c
@@ -157,6 +157,9 @@ static int roq_read_packet(AVFormatContext *s,
             chunk_size = AV_RL32(&preamble[2]) + RoQ_CHUNK_PREAMBLE_SIZE * 2 +
                 codebook_size;
 
+            if (chunk_size > INT_MAX)
+                return AVERROR_INVALIDDATA;
+
             /* rewind */
             avio_seek(pb, codebook_offset, SEEK_SET);
 
@@ -219,8 +222,10 @@ static int roq_read_packet(AVFormatContext *s,
             pkt->pos= avio_tell(pb);
             ret = avio_read(pb, pkt->data + RoQ_CHUNK_PREAMBLE_SIZE,
                 chunk_size);
-            if (ret != chunk_size)
+            if (ret != chunk_size) {
+                av_packet_unref(pkt);
                 ret = AVERROR(EIO);
+            }
 
             packet_read = 1;
             break;