[FFmpeg-devel] stsz overflow
Baptiste Coudurier
baptiste.coudurier
Mon Aug 24 23:22:40 CEST 2009
Hi,
On 08/24/2009 02:07 PM, Frank Barchard wrote:
> Large stsz can cause the malloc expression to overflow, which will quietly
> allocate too little memory and crash later.
>
> Index: libavformat/mov.c
> ===================================================================
> --- libavformat/mov.c (revision 19695)
> +++ libavformat/mov.c (working copy)
> @@ -1262,6 +1262,8 @@
> if (!sc->sample_sizes)
> return AVERROR(ENOMEM);
>
> + if(entries>= UINT_MAX / (sizeof(int)*8))
> + return -1;
> num_bytes = (entries*field_size+4)>>3;
>
> buf = av_malloc(num_bytes+FF_INPUT_BUFFER_PADDING_SIZE);
Why sizeof(int)*8 ?
--
Baptiste COUDURIER GnuPG Key Id: 0x5C1ABAAA
Key fingerprint 8D77134D20CC9220201FC5DB0AC9325C5C1ABAAA
FFmpeg maintainer http://www.ffmpeg.org
More information about the ffmpeg-devel
mailing list