avformat/mvdec: Check size for validity in var_read_string()

Fixes out of array read Fixes: asan_heap-oob_49b1e5_12_011.movie Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
author: Michael Niedermayer <michaelni@gmx.at> 2014-10-28 16:42:05 +0100
committer: Michael Niedermayer <michaelni@gmx.at> 2014-10-28 17:06:16 +0100
commit: 86e574928536ee5249d9cf4da9f5d8714611d706 (patch)
tree: 001f3b84a58c46f706b1bd656a61643349818db9 /libavformat/mvdec.c
parent: e70312dfc22c4e54d5716f28f28db8f99c74cc90 (diff)
1 files changed, 6 insertions, 1 deletions
diff --git a/libavformat/mvdec.c b/libavformat/mvdec.c
index 6e7c3ffd11..0f09498b2b 100644
--- a/libavformat/mvdec.c
+++ b/libavformat/mvdec.c
@@ -57,7 +57,12 @@ static int mv_probe(AVProbeData *p)
 static char *var_read_string(AVIOContext *pb, int size)
 {
     int n;
-    char *str = av_malloc(size + 1);
+    char *str;
+
+    if (size < 0 || size == INT_MAX)
+        return NULL;
+
+    str = av_malloc(size + 1);
     if (!str)
         return NULL;
     n = avio_get_str(pb, size, str, size + 1);
author	Michael Niedermayer <michaelni@gmx.at>	2014-10-28 16:42:05 +0100
committer	Michael Niedermayer <michaelni@gmx.at>	2014-10-28 17:06:16 +0100
commit	86e574928536ee5249d9cf4da9f5d8714611d706 (patch)
tree	001f3b84a58c46f706b1bd656a61643349818db9 /libavformat/mvdec.c
parent	e70312dfc22c4e54d5716f28f28db8f99c74cc90 (diff)