[FFmpeg-devel] [PATCH] libavformat/mov: Fix heap buffer overflow.
Jacob Trimble
modmaker at google.com
Thu May 31 20:41:29 EEST 2018
Found by Chrome's ClusterFuzz: https://crbug.com/847060
Signed-off-by: Jacob Trimble <modmaker at google.com>
---
libavformat/mov.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/libavformat/mov.c b/libavformat/mov.c
index f2a540ad50..08cc382a68 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -5895,7 +5895,7 @@ static int mov_read_senc(MOVContext *c, AVIOContext *pb, MOVAtom atom)
return AVERROR(ENOMEM);
for (i = 0; i < sample_count; i++) {
- unsigned int min_samples = FFMIN(FFMAX(i, 1024 * 1024), sample_count);
+ unsigned int min_samples = FFMIN(FFMAX(i + 1, 1024 * 1024), sample_count);
encrypted_samples = av_fast_realloc(encryption_index->encrypted_samples, &alloc_size,
min_samples * sizeof(*encrypted_samples));
if (encrypted_samples) {
@@ -5949,7 +5949,7 @@ static int mov_parse_auxiliary_info(MOVContext *c, MOVStreamContext *sc, AVIOCon
}
for (i = 0; i < sample_count && !pb->eof_reached; i++) {
- unsigned int min_samples = FFMIN(FFMAX(i, 1024 * 1024), sample_count);
+ unsigned int min_samples = FFMIN(FFMAX(i + 1, 1024 * 1024), sample_count);
encrypted_samples = av_fast_realloc(encryption_index->encrypted_samples, &alloc_size,
min_samples * sizeof(*encrypted_samples));
if (!encrypted_samples) {
@@ -6110,7 +6110,7 @@ static int mov_read_saio(MOVContext *c, AVIOContext *pb, MOVAtom atom)
return AVERROR(ENOMEM);
for (i = 0; i < entry_count && !pb->eof_reached; i++) {
- unsigned int min_offsets = FFMIN(FFMAX(i, 1024), entry_count);
+ unsigned int min_offsets = FFMIN(FFMAX(i + 1, 1024), entry_count);
auxiliary_offsets = av_fast_realloc(
encryption_index->auxiliary_offsets, &alloc_size,
min_offsets * sizeof(*auxiliary_offsets));
--
2.17.0.921.gf22659ad46-goog
More information about the ffmpeg-devel
mailing list