avformat/vorbiscomment: Check entry length in ff_vorbiscomment_write()
authorMichael Niedermayer <michaelni@gmx.at>
Mon, 11 May 2015 13:23:51 +0000 (15:23 +0200)
committerMichael Niedermayer <michaelni@gmx.at>
Thu, 21 May 2015 18:43:38 +0000 (20:43 +0200)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit eca38864a6ce5053e463b8d3fc22b22bc9a49578)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
libavformat/vorbiscomment.c

index cc9b662..e953d83 100644 (file)
@@ -61,8 +61,10 @@ int ff_vorbiscomment_write(uint8_t **p, AVDictionary **m,
         AVDictionaryEntry *tag = NULL;
         bytestream_put_le32(p, count);
         while ((tag = av_dict_get(*m, "", tag, AV_DICT_IGNORE_SUFFIX))) {
-            unsigned int len1 = strlen(tag->key);
-            unsigned int len2 = strlen(tag->value);
+            int64_t len1 = strlen(tag->key);
+            int64_t len2 = strlen(tag->value);
+            if (len1+1+len2 > UINT32_MAX)
+                return AVERROR(EINVAL);
             bytestream_put_le32(p, len1+1+len2);
             bytestream_put_buffer(p, tag->key, len1);
             bytestream_put_byte(p, '=');