mov: Fix overflow and error handling in read_tfra().
authorDale Curtis <dalecurtis@chromium.org>
Tue, 6 Jan 2015 03:00:43 +0000 (04:00 +0100)
committerMichael Niedermayer <michaelni@gmx.at>
Tue, 6 Jan 2015 03:44:16 +0000 (04:44 +0100)
commitdb42d93a61be26873be6115c57f5921b4dfdec14
tree74b5e688536d436b9ed1590d0331ebb3df06fc84
parenta79ac73b631a2d8347f45fbdcb666f37e40ab9fe
mov: Fix overflow and error handling in read_tfra().

Under abnormal conditions the item_count may exceed the max
allocation size on 32-bit systems, this causes the allocated
size to overflow and become too small for the given count.

Additionally, if av_reallocp() fails its allocation, the
fragment_index_count is not correctly decremented.

Ensuring further havoc may be wrought, the error code for
read_tfra() is not checked upon return.

Found-by: Paul Mehta <paul@paulmehta.com>
positive return code and use of _array functions by commiter

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
libavformat/mov.c