From fa6fa8e7f646cf208c1c2bd39b5b257b41ce7ba8 Mon Sep 17 00:00:00 2001 From: curious-rabbit Date: Sun, 17 May 2026 14:47:17 +0200 Subject: [PATCH] demux_mkv: fix integer overflow in parse_vorbis_chmap --- demux/demux_mkv.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/demux/demux_mkv.c b/demux/demux_mkv.c index acbd75f6d929f..a41272ee9d0eb 100644 --- a/demux/demux_mkv.c +++ b/demux/demux_mkv.c @@ -1819,7 +1819,8 @@ static void parse_vorbis_chmap(struct mp_chmap *channels, unsigned char *data, if (size < 4) return; uint32_t vendor_length = AV_RL32(data); - if (vendor_length + 4 > size) // also check for the next AV_RB32 below + // 4 (vendor_length) + vendor string + 4 (num_headers); subtract to avoid overflow + if (size < 8 || vendor_length > size - 8) return; size -= vendor_length + 4; data += vendor_length + 4;