[FFmpeg-cvslog] avformat/mov: Fix potential integer overflow in mov_read_keys
Sergey Volk
git at videolan.org
Thu Sep 8 12:39:46 EEST 2016
ffmpeg | branch: master | Sergey Volk <servolk at google.com> | Wed Sep 7 14:05:35 2016 -0700| [347cb14b7cba7560e53f4434b419b9d8800253e7] | committer: Michael Niedermayer
avformat/mov: Fix potential integer overflow in mov_read_keys
Actual allocation size is computed as (count + 1)*sizeof(meta_keys), so
we need to check that (count + 1) won't cause overflow.
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=347cb14b7cba7560e53f4434b419b9d8800253e7
---
libavformat/mov.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libavformat/mov.c b/libavformat/mov.c
index f499906..a7595c5 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -3278,7 +3278,7 @@ static int mov_read_keys(MOVContext *c, AVIOContext *pb, MOVAtom atom)
avio_skip(pb, 4);
count = avio_rb32(pb);
- if (count > UINT_MAX / sizeof(*c->meta_keys)) {
+ if (count > UINT_MAX / sizeof(*c->meta_keys) - 1) {
av_log(c->fc, AV_LOG_ERROR,
"The 'keys' atom with the invalid key count: %d\n", count);
return AVERROR_INVALIDDATA;
More information about the ffmpeg-cvslog
mailing list