[FFmpeg-cvslog] mov: Avoid overflow with mov_metadata_raw()

Dale Curtis git at videolan.org
Tue Jan 6 19:35:35 CET 2015


ffmpeg | branch: release/2.3 | Dale Curtis <dalecurtis at chromium.org> | Mon Jan  5 16:19:09 2015 -0800| [22558d6f6e8652d362add0c5c195964c5e65cfd2] | committer: Michael Niedermayer

mov: Avoid overflow with mov_metadata_raw()

The code previously added 1 to len without checking its size,
resulting in an overflow which can corrupt value[-1] -- which
may be used to store unaligned ptr information for certain
allocators.

Found-by: Paul Mehta <paul at paulmehta.com>
Signed-off-by: Dale Curtis <dalecurtis at chromium.org>
Signed-off-by: Michael Niedermayer <michaelni at gmx.at>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=22558d6f6e8652d362add0c5c195964c5e65cfd2
---

 libavformat/mov.c |    3 +++
 1 file changed, 3 insertions(+)

diff --git a/libavformat/mov.c b/libavformat/mov.c
index 156bbbd..3711d29 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -214,6 +214,9 @@ static int mov_read_covr(MOVContext *c, AVIOContext *pb, int type, int len)
 static int mov_metadata_raw(MOVContext *c, AVIOContext *pb,
                             unsigned len, const char *key)
 {
+    // Check for overflow.
+    if (len >= INT_MAX)
+        return AVERROR(EINVAL);
     char *value = av_malloc(len + 1);
     if (!value)
         return AVERROR(ENOMEM);



More information about the ffmpeg-cvslog mailing list