ffmpeg | branch: release/2.3 | Dale Curtis <dalecur...@chromium.org> | Mon Jan 5 16:19:09 2015 -0800| [22558d6f6e8652d362add0c5c195964c5e65cfd2] | committer: Michael Niedermayer
mov: Avoid overflow with mov_metadata_raw() The code previously added 1 to len without checking its size, resulting in an overflow which can corrupt value[-1] -- which may be used to store unaligned ptr information for certain allocators. Found-by: Paul Mehta <p...@paulmehta.com> Signed-off-by: Dale Curtis <dalecur...@chromium.org> Signed-off-by: Michael Niedermayer <michae...@gmx.at> > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=22558d6f6e8652d362add0c5c195964c5e65cfd2 --- libavformat/mov.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index 156bbbd..3711d29 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -214,6 +214,9 @@ static int mov_read_covr(MOVContext *c, AVIOContext *pb, int type, int len) static int mov_metadata_raw(MOVContext *c, AVIOContext *pb, unsigned len, const char *key) { + // Check for overflow. + if (len >= INT_MAX) + return AVERROR(EINVAL); char *value = av_malloc(len + 1); if (!value) return AVERROR(ENOMEM); _______________________________________________ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
