Browse Source

mov: Avoid overflow with mov_metadata_raw()

The code previously added 1 to len without checking its size,
resulting in an overflow which can corrupt value[-1] -- which
may be used to store unaligned ptr information for certain
allocators.

Found-by: Paul Mehta <paul@paulmehta.com>
Signed-off-by: Dale Curtis <dalecurtis@chromium.org>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
tags/n2.4.6
Dale Curtis Michael Niedermayer 11 years ago
parent
commit
134ff88c6a
1 changed files with 3 additions and 0 deletions
  1. +3
    -0
      libavformat/mov.c

+ 3
- 0
libavformat/mov.c View File

@@ -210,6 +210,9 @@ static int mov_read_covr(MOVContext *c, AVIOContext *pb, int type, int len)
static int mov_metadata_raw(MOVContext *c, AVIOContext *pb,
unsigned len, const char *key)
{
// Check for overflow.
if (len >= INT_MAX)
return AVERROR(EINVAL);
char *value = av_malloc(len + 1);
if (!value)
return AVERROR(ENOMEM);


Loading…
Cancel
Save