X-Git-Url: https://git.sesse.net/?a=blobdiff_plain;f=libavformat%2Fmpc8.c;h=b12a417f63239db9cbed402a04c77987a6da4179;hb=7d9afb46f2f413abe9d2ee0f9353368a7d4888f7;hp=a7ad908ca4427ccf7e741e9da1d575cc955a22b2;hpb=0897402ac8a2045691395380a9fd2ea88c0d3798;p=ffmpeg

diff --git a/libavformat/mpc8.c b/libavformat/mpc8.c
index a7ad908ca44..b12a417f632 100644
--- a/libavformat/mpc8.c
+++ b/libavformat/mpc8.c
@@ -127,7 +127,11 @@ static void mpc8_get_chunk_header(AVIOContext *pb, int *tag, int64_t *size)
     pos = avio_tell(pb);
     *tag = avio_rl16(pb);
     *size = ffio_read_varlen(pb);
-    *size -= avio_tell(pb) - pos;
+    pos -= avio_tell(pb);
+    if (av_sat_add64(*size, pos) != (uint64_t)*size + pos) {
+        *size = -1;
+    } else
+        *size += pos;
 }
 
 static void mpc8_parse_seektable(AVFormatContext *s, int64_t off)
@@ -178,6 +182,10 @@ static void mpc8_parse_seektable(AVFormatContext *s, int64_t off)
         av_add_index_entry(s->streams[0], pos, i, 0, 0, AVINDEX_KEYFRAME);
     }
     for(; i < size; i++){
+        if (get_bits_left(&gb) < 13) {
+            av_free(buf);
+            return;
+        }
         t = get_unary(&gb, 1, 33) << 12;
         t += get_bits(&gb, 12);
         if(t & 1)
@@ -288,7 +296,7 @@ static int mpc8_read_packet(AVFormatContext *s, AVPacket *pkt)
             return AVERROR_EOF;
 
         mpc8_get_chunk_header(s->pb, &tag, &size);
-        if (size < 0)
+        if (size < 0 || size > INT_MAX)
             return -1;
         if(tag == TAG_AUDIOPACKET){
             if ((ret = av_get_packet(s->pb, pkt, size)) < 0)