On Mon, Nov 10, 2014 at 06:21:28PM +0100, Clément Bœsch wrote: > From: Clément Bœsch <clem...@stupeflix.com> > > --- > libavformat/mov.c | 35 ++++++++++++++--------------------- > 1 file changed, 14 insertions(+), 21 deletions(-) > > diff --git a/libavformat/mov.c b/libavformat/mov.c > index 6ba7b96..4010668 100644 > --- a/libavformat/mov.c > +++ b/libavformat/mov.c > @@ -1272,10 +1272,9 @@ static int mov_read_stco(MOVContext *c, AVIOContext > *pb, MOVAtom atom) > > if (!entries) > return 0; > - if (entries >= UINT_MAX/sizeof(int64_t)) > - return AVERROR_INVALIDDATA; > > - sc->chunk_offsets = av_malloc(entries * sizeof(int64_t)); > + av_free(sc->chunk_offsets); > + sc->chunk_offsets = av_malloc_array(entries, sizeof(*sc->chunk_offsets)); > if (!sc->chunk_offsets) > return AVERROR(ENOMEM); > sc->chunk_count = entries;
chunk_count seems not reset when the array is freed and an error happens also previously a ridiculously sized array would not have removed a previously existing array. iam not sure if such duplicate atoms do occur in non crafted files so maybe it doesnt matter [...] -- Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB Everything should be made as simple as possible, but not simpler. -- Albert Einstein
signature.asc
Description: Digital signature
_______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-devel
