[FFmpeg-devel] [PATCH 1/1] libavformat/mov: Add bound checks to avoid integer overflow and invalid memory allocation
"zhilizhao(赵志立)"
quinkblack at foxmail.com
Mon Oct 19 11:03:36 EEST 2020
> On Oct 19, 2020, at 10:42 AM, Xiaohui Zhang <ruc_zhangxiaohui at 163.com> wrote:
>
> From: Zhang Xiaohui <ruc_zhangxiaohui at 163.com>
>
> Hi, I think function mov_read_cmov fails to perform proper bounds
> checking on atom.size and cmov_len, which may lead to integer
> overflow and invalid memory allocation.
>
> Signed-off-by: Zhang Xiaohui <ruc_zhangxiaohui at 163.com>
> ---
> libavformat/mov.c | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/libavformat/mov.c b/libavformat/mov.c
> index 7fd43a8fc5..245c720e42 100644
> --- a/libavformat/mov.c
> +++ b/libavformat/mov.c
> @@ -5181,8 +5181,12 @@ static int mov_read_cmov(MOVContext *c, AVIOContext *pb, MOVAtom atom)
> if (avio_rl32(pb) != MKTAG('c','m','v','d'))
> return AVERROR_INVALIDDATA;
> moov_len = avio_rb32(pb); /* uncompressed size */
> + if (atom.size > LONG_MAX + 6 * 4)
> + return AVERROR_INVALIDDATA;
LONG_MAX + 6 * 4 leads to overflow.
> cmov_len = atom.size - 6 * 4;
>
> + if (cmov_len <= 0)
> + return AVERROR_INVALIDDATA;
> cmov_data = av_malloc(cmov_len);
> if (!cmov_data)
> return AVERROR(ENOMEM);
> --
> 2.17.1
>
> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel at ffmpeg.org
> https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
>
> To unsubscribe, visit link above, or email
> ffmpeg-devel-request at ffmpeg.org with subject "unsubscribe".
More information about the ffmpeg-devel
mailing list