avformat/mxfdec: Check size to avoid integer overflow in mxf_read_utf16_string()

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c
index cdb5c4e..d2166ee 100644 (file)
--- a/libavformat/mxfdec.c
+++ b/libavformat/mxfdec.c
@@ -717,7 +717,7 @@ static inline int mxf_read_utf16_string(AVIOContext *pb, int size, char** str, i
     int ret;
     size_t buf_size;
 
-    if (size < 0)
+    if (size < 0 || size > INT_MAX/2)
         return AVERROR(EINVAL);
 
     buf_size = size + size / 2 + 1;