X-Git-Url: https://git.sesse.net/?a=blobdiff_plain;f=libavformat%2Fifv.c;h=bca8f85d09b826d68805aad74d863c1f4f0b3170;hb=18b3deee2256a8861fd292653c8dd3ef191ef893;hp=6acbb29a7595300b5eb7ea0f5ee57e69a7a5151e;hpb=9654e97572decb58d0effbfa8d0a0ede3cbe2d95;p=ffmpeg

diff --git a/libavformat/ifv.c b/libavformat/ifv.c
index 6acbb29a759..bca8f85d09b 100644
--- a/libavformat/ifv.c
+++ b/libavformat/ifv.c
@@ -68,6 +68,8 @@ static int read_index(AVFormatContext *s,
     }
 
     for (i = start_index; i < end_index; i++) {
+        if (avio_feof(s->pb))
+            return AVERROR_EOF;
         pos = avio_rl32(s->pb);
         size = avio_rl32(s->pb);
 
@@ -193,21 +195,22 @@ static int ifv_read_packet(AVFormatContext *s, AVPacket *pkt)
 
     if (ifv->next_video_index < ifv->total_vframes) {
         st = s->streams[ifv->video_stream_index];
-        if (ifv->next_video_index < st->nb_index_entries)
-            e_next = ev = &st->index_entries[ifv->next_video_index];
+        if (ifv->next_video_index < st->internal->nb_index_entries)
+            e_next = ev = &st->internal->index_entries[ifv->next_video_index];
     }
 
     if (ifv->is_audio_present &&
         ifv->next_audio_index < ifv->total_aframes) {
         st = s->streams[ifv->audio_stream_index];
-        if (ifv->next_audio_index < st->nb_index_entries) {
-            ea = &st->index_entries[ifv->next_audio_index];
+        if (ifv->next_audio_index < st->internal->nb_index_entries) {
+            ea = &st->internal->index_entries[ifv->next_audio_index];
             if (!ev || ea->timestamp < ev->timestamp)
                 e_next = ea;
         }
     }
 
     if (!ev) {
+        uint64_t vframes, aframes;
         if (ifv->is_audio_present && !ea) {
             /*read new video and audio indexes*/
 
@@ -215,8 +218,12 @@ static int ifv_read_packet(AVFormatContext *s, AVPacket *pkt)
             ifv->next_audio_index = ifv->total_aframes;
 
             avio_skip(s->pb, 0x1c);
-            ifv->total_vframes += avio_rl32(s->pb);
-            ifv->total_aframes += avio_rl32(s->pb);
+            vframes = ifv->total_vframes + (uint64_t)avio_rl32(s->pb);
+            aframes = ifv->total_aframes + (uint64_t)avio_rl32(s->pb);
+            if (vframes > INT_MAX || aframes > INT_MAX)
+                return AVERROR_INVALIDDATA;
+            ifv->total_vframes = vframes;
+            ifv->total_aframes = aframes;
             avio_skip(s->pb, 0xc);
 
             if (avio_feof(s->pb))
@@ -238,7 +245,10 @@ static int ifv_read_packet(AVFormatContext *s, AVPacket *pkt)
             ifv->next_video_index = ifv->total_vframes;
 
             avio_skip(s->pb, 0x1c);
-            ifv->total_vframes += avio_rl32(s->pb);
+            vframes = ifv->total_vframes + (uint64_t)avio_rl32(s->pb);
+            if (vframes > INT_MAX)
+                return AVERROR_INVALIDDATA;
+            ifv->total_vframes = vframes;
             avio_skip(s->pb, 0x10);
 
             if (avio_feof(s->pb))