diff options
author | Dale Curtis <dalecurtis@chromium.org> | 2015-01-06 03:19:09 +0300 |
---|---|---|
committer | Michael Niedermayer <michaelni@gmx.at> | 2015-01-06 06:20:49 +0300 |
commit | 57710c3646d4e0edb9e66ecf059d29df172a4187 (patch) | |
tree | f6fa0eeb4ec1f5c6944e00f97600b9236e9b34ad /libavformat | |
parent | 0d481efb7b81ab2f0491a854a4fd5d8cfb305680 (diff) |
mov: Avoid overflow with mov_metadata_raw()
The code previously added 1 to len without checking its size,
resulting in an overflow which can corrupt value[-1] -- which
may be used to store unaligned ptr information for certain
allocators.
Found-by: Paul Mehta <paul@paulmehta.com>
Signed-off-by: Dale Curtis <dalecurtis@chromium.org>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Diffstat (limited to 'libavformat')
-rw-r--r-- | libavformat/mov.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/libavformat/mov.c b/libavformat/mov.c index f0d095e1a1..0d4017b5b3 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -279,6 +279,9 @@ static int mov_read_covr(MOVContext *c, AVIOContext *pb, int type, int len) static int mov_metadata_raw(MOVContext *c, AVIOContext *pb, unsigned len, const char *key) { + // Check for overflow. + if (len >= INT_MAX) + return AVERROR(EINVAL); char *value = av_malloc(len + 1); if (!value) return AVERROR(ENOMEM); |