avformat/iff: check for possible overflow in 2nd argument of av_new_packet

Signed-off-by: Paul B Mahol <onemda@gmail.com>

1 files changed, 4 insertions, 0 deletions

diff --git a/libavformat/iff.c b/libavformat/iff.c
index 8ea3b38ac6..5973cde8fe 100644
--- a/libavformat/iff.c
+++ b/libavformat/iff.c
@@ -721,11 +721,15 @@ static int iff_read_packet(AVFormatContext *s,
         if (st->codec->codec_tag == ID_DSD || st->codec->codec_tag == ID_MAUD) {
             ret = av_get_packet(pb, pkt, FFMIN(iff->body_end - pos, 1024 * st->codec->block_align));
         } else {
+            if (iff->body_size > INT_MAX)
+                return AVERROR_INVALIDDATA;
             ret = av_get_packet(pb, pkt, iff->body_size);
         }
     } else if (st->codec->codec_type == AVMEDIA_TYPE_VIDEO) {
         uint8_t *buf;
 
+        if (iff->body_size > INT_MAX - 2)
+            return AVERROR_INVALIDDATA;
         if (av_new_packet(pkt, iff->body_size + 2) < 0) {
             return AVERROR(ENOMEM);
         }