diff options
author | Dale Curtis <dalecurtis@chromium.org> | 2015-01-05 16:19:09 -0800 |
---|---|---|
committer | Michael Niedermayer <michaelni@gmx.at> | 2015-01-06 18:28:35 +0100 |
commit | 22558d6f6e8652d362add0c5c195964c5e65cfd2 (patch) | |
tree | 8ee37c0e97129a652c5de0c0f533e29f16d3dc6c | |
parent | f03888b449faf2888a149cae3b340ea13c6f85fa (diff) | |
download | ffmpeg-22558d6f6e8652d362add0c5c195964c5e65cfd2.tar.gz |
mov: Avoid overflow with mov_metadata_raw()
The code previously added 1 to len without checking its size,
resulting in an overflow which can corrupt value[-1] -- which
may be used to store unaligned ptr information for certain
allocators.
Found-by: Paul Mehta <paul@paulmehta.com>
Signed-off-by: Dale Curtis <dalecurtis@chromium.org>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
-rw-r--r-- | libavformat/mov.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/libavformat/mov.c b/libavformat/mov.c index 156bbbdf75..3711d2932e 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -214,6 +214,9 @@ static int mov_read_covr(MOVContext *c, AVIOContext *pb, int type, int len) static int mov_metadata_raw(MOVContext *c, AVIOContext *pb, unsigned len, const char *key) { + // Check for overflow. + if (len >= INT_MAX) + return AVERROR(EINVAL); char *value = av_malloc(len + 1); if (!value) return AVERROR(ENOMEM); |