ffmpeg | branch: release/3.0 | Sergey Volk <serv...@google.com> | Wed Sep 7 14:05:35 2016 -0700| [9259b7f38e008720096532cd4e666a9889f3c578] | committer: Michael Niedermayer
avformat/mov: Fix potential integer overflow in mov_read_keys Actual allocation size is computed as (count + 1)*sizeof(meta_keys), so we need to check that (count + 1) won't cause overflow. Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc> (cherry picked from commit 347cb14b7cba7560e53f4434b419b9d8800253e7) Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc> > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=9259b7f38e008720096532cd4e666a9889f3c578 --- libavformat/mov.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index bcba9bb..6b90d08 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -3149,7 +3149,7 @@ static int mov_read_keys(MOVContext *c, AVIOContext *pb, MOVAtom atom) avio_skip(pb, 4); count = avio_rb32(pb); - if (count > UINT_MAX / sizeof(*c->meta_keys)) { + if (count > UINT_MAX / sizeof(*c->meta_keys) - 1) { av_log(c->fc, AV_LOG_ERROR, "The 'keys' atom with the invalid key count: %d\n", count); return AVERROR_INVALIDDATA; _______________________________________________ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
