diff options
| author | Michael Niedermayer <michaelni@gmx.at> | 2015-01-06 04:29:10 +0100 |
|---|---|---|
| committer | Michael Niedermayer <michaelni@gmx.at> | 2015-01-09 17:19:10 +0100 |
| commit | 25312a427bda360a98c6a38be7af9e5f686c9902 (patch) | |
| tree | 1533f39f25a0179ed4fd2632204d5bd06c6434d7 | |
| parent | 9143ab0e5a75519c899cae2996d07b3f69bcfb24 (diff) | |
| download | ffmpeg-25312a427bda360a98c6a38be7af9e5f686c9902.tar.gz | |
avformat/mov: fix integer overflow in mov_read_udta_string()
Found-by: Paul Mehta <paul@paulmehta.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 3859868c75313e318ebc5d0d33baada62d45dd75)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
| -rw-r--r-- | libavformat/mov.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/libavformat/mov.c b/libavformat/mov.c index 3a93897a96..11fdcf0194 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -355,7 +355,7 @@ static int mov_read_udta_string(MOVContext *c, AVIOContext *pb, MOVAtom atom) if (!key) return 0; - if (atom.size < 0) + if (atom.size < 0 || str_size >= INT_MAX/2) return AVERROR_INVALIDDATA; str_size_alloc = str_size << 1; // worst-case requirement for output string in case of utf8 coded input |