avcodec/utils: add some saftey checks to add_metadata_from_side_data()

This fixes potential overreads with crafted files. Found-by: wm4 Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
author: Michael Niedermayer <michaelni@gmx.at> 2013-10-19 17:52:47 +0200
committer: Michael Niedermayer <michaelni@gmx.at> 2013-10-19 17:58:47 +0200
commit: 838f461b0716393a1b5c70efd03de1e8bc197380 (patch)
tree: dcb19c6fe2d7e9e911af8c0c0dd6c376229243d4
parent: 240fd8c96f59ebe9dcfc4152a1086cd3f63400c0 (diff)
download: ffmpeg-838f461b0716393a1b5c70efd03de1e8bc197380.tar.gz
1 files changed, 8 insertions, 1 deletions
diff --git a/libavcodec/utils.c b/libavcodec/utils.c
index 3832b81677..162d61d468 100644
--- a/libavcodec/utils.c
+++ b/libavcodec/utils.c
@@ -1952,10 +1952,17 @@ static int add_metadata_from_side_data(AVCodecContext *avctx, AVFrame *frame)
     if (!side_metadata)
         goto end;
     end = side_metadata + size;
+    if (size && end[-1])
+        return AVERROR_INVALIDDATA;
     while (side_metadata < end) {
         const uint8_t *key = side_metadata;
         const uint8_t *val = side_metadata + strlen(key) + 1;
-        int ret = av_dict_set(avpriv_frame_get_metadatap(frame), key, val, 0);
+        int ret;
+
+        if (val >= end)
+            return AVERROR_INVALIDDATA;
+
+        ret = av_dict_set(avpriv_frame_get_metadatap(frame), key, val, 0);
         if (ret < 0)
             break;
         side_metadata = val + strlen(val) + 1;
author	Michael Niedermayer <michaelni@gmx.at>	2013-10-19 17:52:47 +0200
committer	Michael Niedermayer <michaelni@gmx.at>	2013-10-19 17:58:47 +0200
commit	838f461b0716393a1b5c70efd03de1e8bc197380 (patch)
tree	dcb19c6fe2d7e9e911af8c0c0dd6c376229243d4
parent	240fd8c96f59ebe9dcfc4152a1086cd3f63400c0 (diff)
download	ffmpeg-838f461b0716393a1b5c70efd03de1e8bc197380.tar.gz