mov: Add bound checks to avoid integer overflow and invalid memory allocation

Xiaohui Zhang Sun, 18 Oct 2020 19:43:12 -0700

From: Zhang Xiaohui <ruc_zhangxiao...@163.com>

Hi, I think function mov_read_cmov fails to perform proper bounds
checking on atom.size and cmov_len, which may lead to integer
overflow and invalid memory allocation.


Signed-off-by: Zhang Xiaohui <ruc_zhangxiao...@163.com>
---
 libavformat/mov.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/libavformat/mov.c b/libavformat/mov.c
index 7fd43a8fc5..245c720e42 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -5181,8 +5181,12 @@ static int mov_read_cmov(MOVContext *c, AVIOContext *pb, 
MOVAtom atom)
     if (avio_rl32(pb) != MKTAG('c','m','v','d'))
         return AVERROR_INVALIDDATA;
     moov_len = avio_rb32(pb); /* uncompressed size */
+    if (atom.size > LONG_MAX + 6 * 4)
+        return AVERROR_INVALIDDATA;
     cmov_len = atom.size - 6 * 4;
 
+    if (cmov_len <= 0)
+        return AVERROR_INVALIDDATA;
     cmov_data = av_malloc(cmov_len);
     if (!cmov_data)
         return AVERROR(ENOMEM);
-- 
2.17.1

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".

[FFmpeg-devel] [PATCH 1/1] libavformat/mov: Add bound checks to avoid integer overflow and invalid memory allocation

Reply via email to