mov: Avoid overflow with mov_metadata_raw()
authorDale Curtis <dalecurtis@chromium.org>
Tue, 6 Jan 2015 00:19:09 +0000 (16:19 -0800)
committerMichael Niedermayer <michaelni@gmx.at>
Fri, 13 Mar 2015 16:06:08 +0000 (17:06 +0100)
commitb41bc711438abed7b67499ea4865127f97df6745
tree1638808ec3c9a7b4d335568d0dad222985b85a04
parent1b9a62c357b1e0045b5c1eb6fb6e5f3cdbd979ce
mov: Avoid overflow with mov_metadata_raw()

The code previously added 1 to len without checking its size,
resulting in an overflow which can corrupt value[-1] -- which
may be used to store unaligned ptr information for certain
allocators.

Found-by: Paul Mehta <paul@paulmehta.com>
Signed-off-by: Dale Curtis <dalecurtis@chromium.org>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
libavformat/mov.c