Re: [FFmpeg-devel] [PATCH] lavf/mov.c: Avoid heap allocation wrap in mov_read_uuid

Tue, 07 Feb 2017 16:19:15 -0800 

Updated to SIZE_MAX. Thank you for your comments.

On Wed, Dec 14, 2016 at 5:39 PM, Andreas Cadhalpun <
andreas.cadhal...@googlemail.com> wrote:

> On 15.12.2016 00:36, Matthew Wolenetz wrote:
> > From 9d45f272a682b0ea831c20e36f696e15cc0c55fe Mon Sep 17 00:00:00 2001
> > From: Matt Wolenetz <wolen...@chromium.org>
> > Date: Tue, 6 Dec 2016 12:33:08 -0800
> > Subject: [PATCH] lavf/mov.c: Avoid heap allocation wrap in mov_read_uuid
> >
> > Core of patch is from p...@paulmehta.com
> > Reference https://crbug.com/643951
> > ---
> >  libavformat/mov.c | 2 ++
> >  1 file changed, 2 insertions(+)
> >
> > diff --git a/libavformat/mov.c b/libavformat/mov.c
> > index 7254505..e506d20 100644
> > --- a/libavformat/mov.c
> > +++ b/libavformat/mov.c
> > @@ -4393,6 +4393,8 @@ static int mov_read_uuid(MOVContext *c,
> AVIOContext *pb, MOVAtom atom)
> >      } else if (!memcmp(uuid, uuid_xmp, sizeof(uuid))) {
> >          uint8_t *buffer;
> >          size_t len = atom.size - sizeof(uuid);
> > +        if (len >= UINT_MAX)
>
> This should also use SIZE_MAX.
>
> > +            return AVERROR_INVALIDDATA;
> >
> >          buffer = av_mallocz(len + 1);
> >          if (!buffer) {
>
> Best regards,
> Andreas
> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel@ffmpeg.org
> http://ffmpeg.org/mailman/listinfo/ffmpeg-devel
>

From 1763ad5ae340e09081d8f50e867c2702cb5ec61e Mon Sep 17 00:00:00 2001
From: Matt Wolenetz <wolen...@google.com>
Date: Wed, 14 Dec 2016 15:26:19 -0800
Subject: [PATCH] lavf/mov.c: Avoid heap allocation wrap in mov_read_uuid

Core of patch is from p...@paulmehta.com
Reference https://crbug.com/643951

Signed-off-by: Matt Wolenetz <wolen...@chromium.org>
---
 libavformat/mov.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/libavformat/mov.c b/libavformat/mov.c
index 6fd43a0a4e..93aece510c 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -4849,6 +4849,8 @@ static int mov_read_uuid(MOVContext *c, AVIOContext *pb, MOVAtom atom)
         uint8_t *buffer;
         size_t len = atom.size - sizeof(uuid);
         if (c->export_xmp) {
+            if (len >= SIZE_MAX)
+                return AVERROR_INVALIDDATA;
             buffer = av_mallocz(len + 1);
             if (!buffer) {
                 return AVERROR(ENOMEM);
-- 
2.11.0.483.g087da7b7c-goog


_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-devel

Reply via email to