From bab7d72d46458061065a41536611793b9a53fa5a Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michael@niedermayer.cc>
Date: Fri, 21 Oct 2016 19:45:21 +0200
Subject: [PATCH] avformat/mxfdec: Check size to avoid integer overflow in
 mxf_read_utf16_string()

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit fecb3e82a4ba09dc11a51ad0961ab491881a53a1)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/mxfdec.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c
index f214b36e3c..173a769ada 100644
--- a/libavformat/mxfdec.c
+++ b/libavformat/mxfdec.c
@@ -826,7 +826,7 @@ static inline int mxf_read_utf16_string(AVIOContext *pb, int size, char** str, i
     int ret;
     size_t buf_size;
 
-    if (size < 0)
+    if (size < 0 || size > INT_MAX/2)
         return AVERROR(EINVAL);
 
     buf_size = size + size / 2 + 1;