[FFmpeg-cvslog] mov: Avoid overflow with mov_metadata_raw()
Dale Curtis
git at videolan.org
Tue Jan 13 17:05:06 CET 2015
ffmpeg | branch: release/2.4 | Dale Curtis <dalecurtis at chromium.org> | Mon Jan 5 16:19:09 2015 -0800| [134ff88c6a80672a108c607d8df459f401560d3c] | committer: Michael Niedermayer
mov: Avoid overflow with mov_metadata_raw()
The code previously added 1 to len without checking its size,
resulting in an overflow which can corrupt value[-1] -- which
may be used to store unaligned ptr information for certain
allocators.
Found-by: Paul Mehta <paul at paulmehta.com>
Signed-off-by: Dale Curtis <dalecurtis at chromium.org>
Signed-off-by: Michael Niedermayer <michaelni at gmx.at>
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=134ff88c6a80672a108c607d8df459f401560d3c
---
libavformat/mov.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/libavformat/mov.c b/libavformat/mov.c
index dfd4bce..f78680a 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -210,6 +210,9 @@ static int mov_read_covr(MOVContext *c, AVIOContext *pb, int type, int len)
static int mov_metadata_raw(MOVContext *c, AVIOContext *pb,
unsigned len, const char *key)
{
+ // Check for overflow.
+ if (len >= INT_MAX)
+ return AVERROR(EINVAL);
char *value = av_malloc(len + 1);
if (!value)
return AVERROR(ENOMEM);
More information about the ffmpeg-cvslog
mailing list