mov: Avoid overflow with mov_metadata_raw()
authorDale Curtis <dalecurtis@chromium.org>
Tue, 6 Jan 2015 00:19:09 +0000 (16:19 -0800)
committerMichael Niedermayer <michaelni@gmx.at>
Fri, 9 Jan 2015 16:18:40 +0000 (17:18 +0100)
The code previously added 1 to len without checking its size,
resulting in an overflow which can corrupt value[-1] -- which
may be used to store unaligned ptr information for certain
allocators.

Found-by: Paul Mehta <paul@paulmehta.com>
Signed-off-by: Dale Curtis <dalecurtis@chromium.org>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
libavformat/mov.c

index dfd4bce..f78680a 100644 (file)
@@ -210,6 +210,9 @@ static int mov_read_covr(MOVContext *c, AVIOContext *pb, int type, int len)
 static int mov_metadata_raw(MOVContext *c, AVIOContext *pb,
                             unsigned len, const char *key)
 {
+    // Check for overflow.
+    if (len >= INT_MAX)
+        return AVERROR(EINVAL);
     char *value = av_malloc(len + 1);
     if (!value)
         return AVERROR(ENOMEM);