[FFmpeg-cvslog] avformat/vividas: Test size and packet numbers a bit more

[Michael Niedermayer]

ffmpeg | branch: master | Michael Niedermayer <michael at niedermayer.cc> | Wed Sep  4 16:30:00 2019 +0200| [27a2f65948105931fac95734dfd7336897c3f544] | committer: Michael Niedermayer

avformat/vividas: Test size and packet numbers a bit more

Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=27a2f65948105931fac95734dfd7336897c3f544
---

 libavformat/vividas.c | 27 +++++++++++++++++++--------
 1 file changed, 19 insertions(+), 8 deletions(-)

diff --git a/libavformat/vividas.c b/libavformat/vividas.c
index 4cb371f556..efe1b8deff 100644
--- a/libavformat/vividas.c
+++ b/libavformat/vividas.c
@@ -429,6 +429,7 @@ static int track_index(VividasDemuxContext *viv, AVFormatContext *s, uint8_t *bu
     int maxnp=0;
     AVIOContext *pb;
     int i;
+    int64_t filesize = avio_size(s->pb);
 
     pb = avio_alloc_context(buf, size, 0, NULL, NULL, NULL, NULL);
     if (!pb)
@@ -437,11 +438,8 @@ static int track_index(VividasDemuxContext *viv, AVFormatContext *s, uint8_t *bu
     ffio_read_varlen(pb); // track_index_len
     avio_r8(pb); // 'c'
     viv->n_sb_blocks = ffio_read_varlen(pb);
-    if (viv->n_sb_blocks * 2 > size) {
-        viv->n_sb_blocks = 0;
-        av_free(pb);
-        return AVERROR_INVALIDDATA;
-    }
+    if (viv->n_sb_blocks * 2 > size)
+        goto error;
     viv->sb_blocks = av_calloc(viv->n_sb_blocks, sizeof(VIV_SB_block));
     if (!viv->sb_blocks) {
         viv->n_sb_blocks = 0;
@@ -453,24 +451,37 @@ static int track_index(VividasDemuxContext *viv, AVFormatContext *s, uint8_t *bu
     poff = 0;
 
     for (i = 0; i < viv->n_sb_blocks; i++) {
+        uint64_t size_tmp      = ffio_read_varlen(pb);
+        uint64_t n_packets_tmp = ffio_read_varlen(pb);
+
+        if (size_tmp > INT_MAX || n_packets_tmp > INT_MAX)
+            goto error;
+
         viv->sb_blocks[i].byte_offset = off;
         viv->sb_blocks[i].packet_offset = poff;
 
-        viv->sb_blocks[i].size = ffio_read_varlen(pb);
-        viv->sb_blocks[i].n_packets = ffio_read_varlen(pb);
+        viv->sb_blocks[i].size = size_tmp;
+        viv->sb_blocks[i].n_packets = n_packets_tmp;
 
         off += viv->sb_blocks[i].size;
         poff += viv->sb_blocks[i].n_packets;
 
-
         if (maxnp < viv->sb_blocks[i].n_packets)
             maxnp = viv->sb_blocks[i].n_packets;
     }
 
+    if (filesize > 0 && poff > filesize)
+        goto error;
+
     viv->sb_entries = av_calloc(maxnp, sizeof(VIV_SB_entry));
     av_free(pb);
 
     return 0;
+error:
+    av_free(pb);
+    viv->n_sb_blocks = 0;
+    av_freep(&viv->sb_blocks);
+    return AVERROR_INVALIDDATA;
 }
 
 static void load_sb_block(AVFormatContext *s, VividasDemuxContext *viv, unsigned expected_size)