[FFmpeg-cvslog] mov: immediately return from mov_fix_index without old index entries
Andreas Cadhalpun
git at videolan.org
Tue Nov 1 20:03:26 EET 2016
ffmpeg | branch: master | Andreas Cadhalpun <Andreas.Cadhalpun at googlemail.com> | Tue Nov 1 01:05:01 2016 +0100| [9d83b209d8861f1daf55f6719b1e0c226ed7269a] | committer: Andreas Cadhalpun
mov: immediately return from mov_fix_index without old index entries
If there are no index entries, e_old = st->index_entries is only one
byte large, since it was created by av_realloc called with size 0.
Thus accessing e_old[0].timestamp causes a heap buffer overflow.
Reviewed-by: Sasi Inguva <isasi at google.com>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun at googlemail.com>
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=9d83b209d8861f1daf55f6719b1e0c226ed7269a
---
libavformat/mov.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libavformat/mov.c b/libavformat/mov.c
index b4806f7..4222088 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -2961,7 +2961,7 @@ static void mov_fix_index(MOVContext *mov, AVStream *st)
int first_non_zero_audio_edit = -1;
int packet_skip_samples = 0;
- if (!msc->elst_data || msc->elst_count <= 0) {
+ if (!msc->elst_data || msc->elst_count <= 0 || nb_old <= 0) {
return;
}
// Clean AVStream from traces of old index
More information about the ffmpeg-cvslog
mailing list