matroskadec: Check EBML lace sizes.

author Michael Niedermayer <michaelni@gmx.at>

Thu, 4 Apr 2013 13:39:23 +0000 (15:39 +0200)

committer Michael Niedermayer <michaelni@gmx.at>

Thu, 4 Apr 2013 13:51:04 +0000 (15:51 +0200)
author Michael Niedermayer <michaelni@gmx.at>
Thu, 4 Apr 2013 13:39:23 +0000 (15:39 +0200)
committer Michael Niedermayer <michaelni@gmx.at>
Thu, 4 Apr 2013 13:51:04 +0000 (15:51 +0200)
diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c

index 39559b5cca5109d4281d48839bd11f2af18ab6c0..ad0401a8576bc69ea99bba3ac0af1140aa94bc08 100644 (file)
--- a/libavformat/matroskadec.c
+++ b/libavformat/matroskadec.c
@@ -2027,10 +2027,10 @@ static int matroska_parse_laces(MatroskaDemuxContext *matroska, uint8_t **buf,
          uint64_t num;
          uint64_t total;
          n = matroska_ebmlnum_uint(matroska, data, size, &num);
-        if (n < 0) {
+        if (n < 0 || num > INT_MAX) {
              av_log(matroska->ctx, AV_LOG_INFO,
                     "EBML block data error\n");
-            res = n;
+            res = n<0 ? n : AVERROR_INVALIDDATA;
              break;
          }
          data += n;
@@ -2040,10 +2040,10 @@ static int matroska_parse_laces(MatroskaDemuxContext *matroska, uint8_t **buf,
              int64_t snum;
              int r;
              r = matroska_ebmlnum_sint(matroska, data, size, &snum);
-            if (r < 0) {
+            if (r < 0 || lace_size[n - 1] + snum > (uint64_t)INT_MAX) {
                  av_log(matroska->ctx, AV_LOG_INFO,
                         "EBML block data error\n");
-                res = r;
+                res = r<0 ? r : AVERROR_INVALIDDATA;
                  break;
              }
              data += r;
author	Michael Niedermayer <michaelni@gmx.at>
	Thu, 4 Apr 2013 13:39:23 +0000 (15:39 +0200)
committer	Michael Niedermayer <michaelni@gmx.at>
	Thu, 4 Apr 2013 13:51:04 +0000 (15:51 +0200)