X-Git-Url: https://git.sesse.net/?a=blobdiff_plain;f=libavformat%2Fnutdec.c;h=4df6a57a6720b143f43abf071f466bb52c5b7d79;hb=3e337f0e40145d586de34f634818285483ea18a0;hp=286d1eee3057cf037ac8eb1cdfaf192e6ca4c13d;hpb=10e55bd658b06034d700553190b419b1af92b7cb;p=ffmpeg

diff --git a/libavformat/nutdec.c b/libavformat/nutdec.c
index 286d1eee305..4df6a57a672 100644
--- a/libavformat/nutdec.c
+++ b/libavformat/nutdec.c
@@ -934,7 +934,7 @@ static int read_sm_data(AVFormatContext *s, AVIOContext *bc, AVPacket *pkt, int
                 return ret;
             }
             value_len = ffio_read_varlen(bc);
-            if (avio_tell(bc) + value_len >= maxpos)
+            if (value_len < 0 || value_len >= maxpos - avio_tell(bc))
                 return AVERROR_INVALIDDATA;
             if (!strcmp(name, "Palette")) {
                 dst = av_packet_new_side_data(pkt, AV_PKT_DATA_PALETTE, value_len);
@@ -1133,7 +1133,8 @@ static int decode_frame(NUTContext *nut, AVPacket *pkt, int frame_code)
     ret = av_new_packet(pkt, size + nut->header_len[header_idx]);
     if (ret < 0)
         return ret;
-    memcpy(pkt->data, nut->header[header_idx], nut->header_len[header_idx]);
+    if (nut->header[header_idx])
+        memcpy(pkt->data, nut->header[header_idx], nut->header_len[header_idx]);
     pkt->pos = avio_tell(bc); // FIXME
     if (stc->last_flags & FLAG_SM_DATA) {
         int sm_size;