[FFmpeg-devel] [PATCH] avformat/mov: strengthen some table allocations
Michael Niedermayer
michaelni at gmx.at
Mon Nov 10 22:22:37 CET 2014
On Mon, Nov 10, 2014 at 06:21:28PM +0100, Clément Bœsch wrote:
> From: Clément Bœsch <clement at stupeflix.com>
>
> ---
> libavformat/mov.c | 35 ++++++++++++++---------------------
> 1 file changed, 14 insertions(+), 21 deletions(-)
>
> diff --git a/libavformat/mov.c b/libavformat/mov.c
> index 6ba7b96..4010668 100644
> --- a/libavformat/mov.c
> +++ b/libavformat/mov.c
> @@ -1272,10 +1272,9 @@ static int mov_read_stco(MOVContext *c, AVIOContext *pb, MOVAtom atom)
>
> if (!entries)
> return 0;
> - if (entries >= UINT_MAX/sizeof(int64_t))
> - return AVERROR_INVALIDDATA;
>
> - sc->chunk_offsets = av_malloc(entries * sizeof(int64_t));
> + av_free(sc->chunk_offsets);
> + sc->chunk_offsets = av_malloc_array(entries, sizeof(*sc->chunk_offsets));
> if (!sc->chunk_offsets)
> return AVERROR(ENOMEM);
> sc->chunk_count = entries;
chunk_count seems not reset when the array is freed and an error
happens
also previously a ridiculously sized array would not have removed
a previously existing array.
iam not sure if such duplicate atoms do occur in non crafted files
so maybe it doesnt matter
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
Everything should be made as simple as possible, but not simpler.
-- Albert Einstein
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 181 bytes
Desc: Digital signature
URL: <https://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20141110/66ffe3f2/attachment.asc>
More information about the ffmpeg-devel
mailing list