aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDale Curtis <dalecurtis@chromium.org>2015-01-05 16:19:09 -0800
committerMichael Niedermayer <michaelni@gmx.at>2015-01-06 18:28:35 +0100
commit22558d6f6e8652d362add0c5c195964c5e65cfd2 (patch)
tree8ee37c0e97129a652c5de0c0f533e29f16d3dc6c
parentf03888b449faf2888a149cae3b340ea13c6f85fa (diff)
downloadffmpeg-22558d6f6e8652d362add0c5c195964c5e65cfd2.tar.gz
mov: Avoid overflow with mov_metadata_raw()
The code previously added 1 to len without checking its size, resulting in an overflow which can corrupt value[-1] -- which may be used to store unaligned ptr information for certain allocators. Found-by: Paul Mehta <paul@paulmehta.com> Signed-off-by: Dale Curtis <dalecurtis@chromium.org> Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
-rw-r--r--libavformat/mov.c3
1 files changed, 3 insertions, 0 deletions
diff --git a/libavformat/mov.c b/libavformat/mov.c
index 156bbbdf75..3711d2932e 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -214,6 +214,9 @@ static int mov_read_covr(MOVContext *c, AVIOContext *pb, int type, int len)
static int mov_metadata_raw(MOVContext *c, AVIOContext *pb,
unsigned len, const char *key)
{
+ // Check for overflow.
+ if (len >= INT_MAX)
+ return AVERROR(EINVAL);
char *value = av_malloc(len + 1);
if (!value)
return AVERROR(ENOMEM);