From d3b45a145f9b3a8eb9b75b24839f23fe916512d1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
Date: Fri, 25 Nov 2016 16:46:45 +0200
Subject: [PATCH] mxfdemux: Fix up another size check and prevent allocating
 too much memory

---
 gst/mxf/mxfdemux.c | 2 +-
 gst/mxf/mxftypes.c | 3 ++-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/gst/mxf/mxfdemux.c b/gst/mxf/mxfdemux.c
index a38c332d92..525ff43379 100644
--- a/gst/mxf/mxfdemux.c
+++ b/gst/mxf/mxfdemux.c
@@ -1771,7 +1771,7 @@ gst_mxf_demux_handle_generic_container_essence_element (GstMXFDemux * demux,
 
       index->offset = demux->offset - demux->run_in;
       index->keyframe = keyframe;
-    } else {
+    } else if (etrack->position < G_MAXINT) {
       GstMXFDemuxIndex index;
 
       index.offset = demux->offset - demux->run_in;
diff --git a/gst/mxf/mxftypes.c b/gst/mxf/mxftypes.c
index 8355126a5c..ba7704b8c5 100644
--- a/gst/mxf/mxftypes.c
+++ b/gst/mxf/mxftypes.c
@@ -1224,7 +1224,8 @@ mxf_index_table_segment_parse (const MXFUL * ul,
         tag_data += 4;
         tag_size -= 4;
 
-        if (tag_size / 11 < len)
+        if (tag_size / (11 + 4 * segment->slice_count +
+                8 * segment->pos_table_count) < len)
           goto error;
 
         segment->index_entries = g_new0 (MXFIndexEntry, len);