highperfocused/ffmpeg
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

mov: Avoid overflow with mov_metadata_raw()

Browse Source 
The code previously added 1 to len without checking its size,
resulting in an overflow which can corrupt value[-1] -- which
may be used to store unaligned ptr information for certain
allocators.

Found-by: Paul Mehta <paul@paulmehta.com>
Signed-off-by: Dale Curtis <dalecurtis@chromium.org>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
This commit is contained in:
Dale Curtis
2015-01-05 16:19:09 -08:00
committed by Michael Niedermayer
parent e2e145db89
commit 134ff88c6a
1 changed files with 3 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
libavformat/mov.c
View File

@@ -210,6 +210,9 @@ static int mov_read_covr(MOVContext *c, AVIOContext *pb, int type, int len)
static int mov_metadata_raw(MOVContext *c, AVIOContext *pb, static int mov_metadata_raw(MOVContext *c, AVIOContext *pb,
unsigned len, const char *key) unsigned len, const char *key)
{ {
// Check for overflow.
if (len >= INT_MAX)
return AVERROR(EINVAL);
char *value = av_malloc(len + 1); char *value = av_malloc(len + 1);
if (!value) if (!value)
return AVERROR(ENOMEM); return AVERROR(ENOMEM);