diff options
| author | Dale Curtis <dalecurtis@chromium.org> | 2015-01-05 16:19:09 -0800 |
|---|---|---|
| committer | Michael Niedermayer <michaelni@gmx.at> | 2015-01-09 17:19:10 +0100 |
| commit | 022bfd3dd47c3a2b59ce3eb1142aecc199f320ed (patch) | |
| tree | 0d8668f1a2e015f447d970dbf71dd53e196bbb8d | |
| parent | e0a12b3dc3a252412e91416ebbbf9449e82e4bd0 (diff) | |
| download | ffmpeg-022bfd3dd47c3a2b59ce3eb1142aecc199f320ed.tar.gz | |
mov: Avoid overflow with mov_metadata_raw()
The code previously added 1 to len without checking its size,
resulting in an overflow which can corrupt value[-1] -- which
may be used to store unaligned ptr information for certain
allocators.
Found-by: Paul Mehta <paul@paulmehta.com>
Signed-off-by: Dale Curtis <dalecurtis@chromium.org>
| -rw-r--r-- | libavformat/mov.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/libavformat/mov.c b/libavformat/mov.c index 57e4524e35..b888c6736d 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -210,6 +210,9 @@ static int mov_read_covr(MOVContext *c, AVIOContext *pb, int type, int len) static int mov_metadata_raw(MOVContext *c, AVIOContext *pb, unsigned len, const char *key) { + // Check for overflow. + if (len >= INT_MAX) + return AVERROR(EINVAL); char *value = av_malloc(len + 1); if (!value) return AVERROR(ENOMEM); |