[FFmpeg-devel] stsz overflow
Frank Barchard
fbarchard
Mon Aug 24 23:07:46 CEST 2009
Large stsz can cause the malloc expression to overflow, which will quietly
allocate too little memory and crash later.
Index: libavformat/mov.c
===================================================================
--- libavformat/mov.c (revision 19695)
+++ libavformat/mov.c (working copy)
@@ -1262,6 +1262,8 @@
if (!sc->sample_sizes)
return AVERROR(ENOMEM);
+ if(entries >= UINT_MAX / (sizeof(int)*8))
+ return -1;
num_bytes = (entries*field_size+4)>>3;
buf = av_malloc(num_bytes+FF_INPUT_BUFFER_PADDING_SIZE);
More information about the ffmpeg-devel
mailing list