avformat/matroskadec: Properly check return values

Up until now, webm_dash_manifest_cues used the return values of
ebml_read_num and ebml_read_length without checking for errors,
i.e. return values < 0. This has been changed.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>

1 files changed, 11 insertions, 6 deletions

diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c
index 996bddf1c1..0e9938b65e 100644
--- a/libavformat/matroskadec.c
+++ b/libavformat/matroskadec.c
@@ -3864,12 +3864,17 @@ static int webm_dash_manifest_cues(AVFormatContext *s, int64_t init_range)
     cues_start = seekhead[i].pos + matroska->segment_start;
     if (avio_seek(matroska->ctx->pb, cues_start, SEEK_SET) == cues_start) {
         // cues_end is computed as cues_start + cues_length + length of the
-        // Cues element ID + EBML length of the Cues element. cues_end is
-        // inclusive and the above sum is reduced by 1.
-        uint64_t cues_length = 0, cues_id = 0, bytes_read = 0;
-        bytes_read += ebml_read_num(matroska, matroska->ctx->pb, 4, &cues_id);
-        bytes_read += ebml_read_length(matroska, matroska->ctx->pb, &cues_length);
-        cues_end = cues_start + cues_length + bytes_read - 1;
+        // Cues element ID (i.e. 4) + EBML length of the Cues element.
+        // cues_end is inclusive and the above sum is reduced by 1.
+        uint64_t cues_length, cues_id;
+        int bytes_read;
+        bytes_read = ebml_read_num   (matroska, matroska->ctx->pb,  4, &cues_id);
+        if (bytes_read < 0 || cues_id != (MATROSKA_ID_CUES & 0xfffffff))
+            return bytes_read < 0 ? bytes_read : AVERROR_INVALIDDATA;
+        bytes_read = ebml_read_length(matroska, matroska->ctx->pb, &cues_length);
+        if (bytes_read < 0)
+            return bytes_read;
+        cues_end = cues_start + 4 + bytes_read + cues_length - 1;
     }
     avio_seek(matroska->ctx->pb, before_pos, SEEK_SET);
     if (cues_start == -1 || cues_end == -1) return -1;