diff options
| author | Dale Curtis <dalecurtis@chromium.org> | 2015-01-05 16:19:09 -0800 |
|---|---|---|
| committer | Michael Niedermayer <michaelni@gmx.at> | 2015-06-10 02:13:07 +0200 |
| commit | da29aadeb7f2ecb5fd84be2631386a4e3838a9de (patch) | |
| tree | 9da3ca4e6d0ccdd49f4cbf134fced7550aede96f | |
| parent | 776c481eb902afa6f8fbb32582154b3f19feefb3 (diff) | |
| download | ffmpeg-da29aadeb7f2ecb5fd84be2631386a4e3838a9de.tar.gz | |
mov: Avoid overflow with mov_metadata_raw()
The code previously added 1 to len without checking its size,
resulting in an overflow which can corrupt value[-1] -- which
may be used to store unaligned ptr information for certain
allocators.
Found-by: Paul Mehta <paul@paulmehta.com>
Signed-off-by: Dale Curtis <dalecurtis@chromium.org>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
| -rw-r--r-- | libavformat/mov.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/libavformat/mov.c b/libavformat/mov.c index fd9f556fb1..b78fa74bb4 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -278,6 +278,9 @@ static int mov_read_covr(MOVContext *c, AVIOContext *pb, int type, int len) static int mov_metadata_raw(MOVContext *c, AVIOContext *pb, unsigned len, const char *key) { + // Check for overflow. + if (len >= INT_MAX) + return AVERROR(EINVAL); char *value = av_malloc(len + 1); if (!value) return AVERROR(ENOMEM); |