diff options
| author | Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com> | 2016-11-01 01:05:01 +0100 |
|---|---|---|
| committer | Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com> | 2016-11-17 23:12:23 +0100 |
| commit | d95568f9a2d3c2d96265086db0a995b60f45b528 (patch) | |
| tree | ef1106ad7848b07c9089dd83cd74cea82b717fb1 | |
| parent | 6e5ccabbe8461f5bde1c8ad87a2ced343fd2e5b7 (diff) | |
| download | ffmpeg-d95568f9a2d3c2d96265086db0a995b60f45b528.tar.gz | |
mov: immediately return from mov_fix_index without old index entries
If there are no index entries, e_old = st->index_entries is only one
byte large, since it was created by av_realloc called with size 0.
Thus accessing e_old[0].timestamp causes a heap buffer overflow.
Reviewed-by: Sasi Inguva <isasi@google.com>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 9d83b209d8861f1daf55f6719b1e0c226ed7269a)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
| -rw-r--r-- | libavformat/mov.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/libavformat/mov.c b/libavformat/mov.c index 357d800732..1e2141808d 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -2961,7 +2961,7 @@ static void mov_fix_index(MOVContext *mov, AVStream *st) int first_non_zero_audio_edit = -1; int packet_skip_samples = 0; - if (!msc->elst_data || msc->elst_count <= 0) { + if (!msc->elst_data || msc->elst_count <= 0 || nb_old <= 0) { return; } // Clean AVStream from traces of old index |