From 38e628fd6df6dcb6fe69472b95e539519061ac49 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michaelni@gmx.at>
Date: Mon, 11 May 2015 15:23:51 +0200
Subject: [PATCH] avformat/vorbiscomment: Check entry length in
 ff_vorbiscomment_write()

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit eca38864a6ce5053e463b8d3fc22b22bc9a49578)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
---
 libavformat/vorbiscomment.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/libavformat/vorbiscomment.c b/libavformat/vorbiscomment.c
index cc9b6620ef..e953d83d65 100644
--- a/libavformat/vorbiscomment.c
+++ b/libavformat/vorbiscomment.c
@@ -61,8 +61,10 @@ int ff_vorbiscomment_write(uint8_t **p, AVDictionary **m,
         AVDictionaryEntry *tag = NULL;
         bytestream_put_le32(p, count);
         while ((tag = av_dict_get(*m, "", tag, AV_DICT_IGNORE_SUFFIX))) {
-            unsigned int len1 = strlen(tag->key);
-            unsigned int len2 = strlen(tag->value);
+            int64_t len1 = strlen(tag->key);
+            int64_t len2 = strlen(tag->value);
+            if (len1+1+len2 > UINT32_MAX)
+                return AVERROR(EINVAL);
             bytestream_put_le32(p, len1+1+len2);
             bytestream_put_buffer(p, tag->key, len1);
             bytestream_put_byte(p, '=');