Fix for heap read overflow in Qt Avi Riff viewer when reading avi files created by ffmpeg. Caught by running with clang/gcc address sanitizer.

src/drivers/Qt/AviRiffViewer.cpp

@@ -848,9 +848,11 @@ int  AviRiffViewerDialog::processChunk( AviRiffTreeItem *item )
 		}
 		else if ( strcmp( strhType, "auds" ) == 0 )
 		{
-			data.malloc( item->getSize()+8 );
+			size_t dataSize = item->getSize()+8;
 
-			avi->getChunkData( item->filePos(), data.buf, item->getSize()+8 );
+			data.malloc( dataSize );
+
+			avi->getChunkData( item->filePos(), data.buf, dataSize );
 
 			sprintf( stmp, "%c%c%c%c", data.buf[0], data.buf[1], data.buf[2], data.buf[3] );
 
@@ -908,6 +910,10 @@ int  AviRiffViewerDialog::processChunk( AviRiffTreeItem *item )
 			twi->setText( 2, tr(stmp) );
 			item->addChild(twi);
 
+			// ffmpeg does not write out this element.
+			// Check chunk size to ensure it is there to avoid heap read overflow.
+			if ( dataSize >= 26 )
+			{
 				sprintf( stmp, "%u", data.readU16(24) );
 
 				twi = new QTreeWidgetItem();
@@ -916,6 +922,7 @@ int  AviRiffViewerDialog::processChunk( AviRiffTreeItem *item )
 				item->addChild(twi);
 			}
 		}
+	}
 	else if ( isRiffTag( item->getFourcc(), &riffIdx ) )
 	{
 		int j=0;