get_tag() is not designed with negative length in mind; in this case, it will allocate a very small buffer (LEN_PRETTY_GUID + 1) and might call avio_get_str16le() with a negative maxlen (which relies on these parameters to be signed).
Signed-off-by: Andreas Rheinhardt <andreas.rheinha...@outlook.com> --- libavformat/wtvdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/wtvdec.c b/libavformat/wtvdec.c index 1103f5ba03..2de6dc2103 100644 --- a/libavformat/wtvdec.c +++ b/libavformat/wtvdec.c @@ -539,7 +539,7 @@ static void parse_legacy_attrib(AVFormatContext *s, AVIOContext *pb) ff_get_guid(pb, &guid); type = avio_rl32(pb); length = avio_rl32(pb); - if (!length) + if (length <= 0) break; if (ff_guidcmp(&guid, ff_metadata_guid)) { av_log(s, AV_LOG_WARNING, "unknown guid "FF_PRI_GUID", expected metadata_guid; " -- 2.34.1 _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".