mov: Avoid overflow with mov_metadata_raw()

The code previously added 1 to len without checking its size, resulting in an overflow which can corrupt value[-1] -- which may be used to store unaligned ptr information for certain allocators. Found-by: Paul Mehta <paul@paulmehta.com> Signed-off-by: Dale Curtis <dalecurtis@chromium.org>
2015-01-05 16:19:09 -08:00
parent e0a12b3dc3
commit 022bfd3dd4
1 changed files with 3 additions and 0 deletions
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -210,6 +210,9 @@ static int mov_read_covr(MOVContext *c, AVIOContext *pb, int type, int len)
 static int mov_metadata_raw(MOVContext *c, AVIOContext *pb,
                            unsigned len, const char *key)
 {
+    // Check for overflow.
+    if (len >= INT_MAX)
+        return AVERROR(EINVAL);
    char *value = av_malloc(len + 1);
    if (!value)
        return AVERROR(ENOMEM);