diff options
| author | Dale Curtis <[email protected]> | 2015-01-05 16:19:09 -0800 |
|---|---|---|
| committer | Michael Niedermayer <[email protected]> | 2015-01-09 17:18:40 +0100 |
| commit | 134ff88c6a80672a108c607d8df459f401560d3c (patch) | |
| tree | 31367cb21b83f278478500b31931982805c23c93 | |
| parent | e2e145db89913e86e9b8573b1b90f001c46dee5e (diff) | |
mov: Avoid overflow with mov_metadata_raw()
The code previously added 1 to len without checking its size,
resulting in an overflow which can corrupt value[-1] -- which
may be used to store unaligned ptr information for certain
allocators.
Found-by: Paul Mehta <[email protected]>
Signed-off-by: Dale Curtis <[email protected]>
Signed-off-by: Michael Niedermayer <[email protected]>
| -rw-r--r-- | libavformat/mov.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/libavformat/mov.c b/libavformat/mov.c index dfd4bce0b7..f78680a0e9 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -210,6 +210,9 @@ static int mov_read_covr(MOVContext *c, AVIOContext *pb, int type, int len) static int mov_metadata_raw(MOVContext *c, AVIOContext *pb, unsigned len, const char *key) { + // Check for overflow. + if (len >= INT_MAX) + return AVERROR(EINVAL); char *value = av_malloc(len + 1); if (!value) return AVERROR(ENOMEM); |