mov: Avoid overflow with mov_metadata_raw()

The code previously added 1 to len without checking its size, resulting in an overflow which can corrupt value[-1] -- which may be used to store unaligned ptr information for certain allocators. Found-by: Paul Mehta <paul@paulmehta.com> Signed-off-by: Dale Curtis <dalecurtis@chromium.org> Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
author: Dale Curtis <dalecurtis@chromium.org> 2015-01-06 03:19:09 +0300
committer: Michael Niedermayer <michaelni@gmx.at> 2015-01-06 06:20:49 +0300
commit: 57710c3646d4e0edb9e66ecf059d29df172a4187 (patch)
tree: f6fa0eeb4ec1f5c6944e00f97600b9236e9b34ad /libavformat
parent: 0d481efb7b81ab2f0491a854a4fd5d8cfb305680 (diff)
1 files changed, 3 insertions, 0 deletions
diff --git a/libavformat/mov.c b/libavformat/mov.c
index f0d095e1a1..0d4017b5b3 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -279,6 +279,9 @@ static int mov_read_covr(MOVContext *c, AVIOContext *pb, int type, int len)
 static int mov_metadata_raw(MOVContext *c, AVIOContext *pb,
                             unsigned len, const char *key)
 {
+    // Check for overflow.
+    if (len >= INT_MAX)
+        return AVERROR(EINVAL);
     char *value = av_malloc(len + 1);
     if (!value)
         return AVERROR(ENOMEM);
author	Dale Curtis <dalecurtis@chromium.org>	2015-01-06 03:19:09 +0300
committer	Michael Niedermayer <michaelni@gmx.at>	2015-01-06 06:20:49 +0300
commit	57710c3646d4e0edb9e66ecf059d29df172a4187 (patch)
tree	f6fa0eeb4ec1f5c6944e00f97600b9236e9b34ad /libavformat
parent	0d481efb7b81ab2f0491a854a4fd5d8cfb305680 (diff)