[FFmpeg-devel] [PATCH] lavf/mov.c: Avoid heap allocation wrap in mov_read_uuid
Andreas Cadhalpun
andreas.cadhalpun at googlemail.com
Thu Dec 15 03:39:47 EET 2016
On 15.12.2016 00:36, Matthew Wolenetz wrote:
> From 9d45f272a682b0ea831c20e36f696e15cc0c55fe Mon Sep 17 00:00:00 2001
> From: Matt Wolenetz <wolenetz at chromium.org>
> Date: Tue, 6 Dec 2016 12:33:08 -0800
> Subject: [PATCH] lavf/mov.c: Avoid heap allocation wrap in mov_read_uuid
>
> Core of patch is from paul at paulmehta.com
> Reference https://crbug.com/643951
> ---
> libavformat/mov.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/libavformat/mov.c b/libavformat/mov.c
> index 7254505..e506d20 100644
> --- a/libavformat/mov.c
> +++ b/libavformat/mov.c
> @@ -4393,6 +4393,8 @@ static int mov_read_uuid(MOVContext *c, AVIOContext *pb, MOVAtom atom)
> } else if (!memcmp(uuid, uuid_xmp, sizeof(uuid))) {
> uint8_t *buffer;
> size_t len = atom.size - sizeof(uuid);
> + if (len >= UINT_MAX)
This should also use SIZE_MAX.
> + return AVERROR_INVALIDDATA;
>
> buffer = av_mallocz(len + 1);
> if (!buffer) {
Best regards,
Andreas
More information about the ffmpeg-devel
mailing list