mov: Avoid overflow with mov_metadata_raw()

The code previously added 1 to len without checking its size, resulting in an overflow which can corrupt value[-1] -- which may be used to store unaligned ptr information for certain allocators. Found-by: Paul Mehta <paul@paulmehta.com> Signed-off-by: Dale Curtis <dalecurtis@chromium.org> Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
author: Dale Curtis <dalecurtis@chromium.org> 2015-01-05 16:19:09 -0800
committer: Michael Niedermayer <michaelni@gmx.at> 2015-01-09 17:18:40 +0100
commit: 134ff88c6a80672a108c607d8df459f401560d3c (patch)
tree: 31367cb21b83f278478500b31931982805c23c93
parent: e2e145db89913e86e9b8573b1b90f001c46dee5e (diff)
download: ffmpeg-134ff88c6a80672a108c607d8df459f401560d3c.tar.gz
1 files changed, 3 insertions, 0 deletions
diff --git a/libavformat/mov.c b/libavformat/mov.c
index dfd4bce0b7..f78680a0e9 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -210,6 +210,9 @@ static int mov_read_covr(MOVContext *c, AVIOContext *pb, int type, int len)
 static int mov_metadata_raw(MOVContext *c, AVIOContext *pb,
                             unsigned len, const char *key)
 {
+    // Check for overflow.
+    if (len >= INT_MAX)
+        return AVERROR(EINVAL);
     char *value = av_malloc(len + 1);
     if (!value)
         return AVERROR(ENOMEM);
author	Dale Curtis <dalecurtis@chromium.org>	2015-01-05 16:19:09 -0800
committer	Michael Niedermayer <michaelni@gmx.at>	2015-01-09 17:18:40 +0100
commit	134ff88c6a80672a108c607d8df459f401560d3c (patch)
tree	31367cb21b83f278478500b31931982805c23c93
parent	e2e145db89913e86e9b8573b1b90f001c46dee5e (diff)
download	ffmpeg-134ff88c6a80672a108c607d8df459f401560d3c.tar.gz