avformat/mov: Move +1 in check to avoid hypothetical overflow in add_ctts_entry()
authorMichael Niedermayer <michael@niedermayer.cc>
Sat, 3 Feb 2018 20:36:22 +0000 (21:36 +0100)
committerMichael Niedermayer <michael@niedermayer.cc>
Thu, 12 Apr 2018 22:35:15 +0000 (00:35 +0200)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit eb60b9d3aaaa42265fb1960be6fff6383cfdbf37)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
libavformat/mov.c

index 6124b0b..b60f8f0 100644 (file)
@@ -2970,7 +2970,7 @@ static int64_t add_ctts_entry(MOVStts** ctts_data, unsigned int* ctts_count, uns
         FFMAX(min_size_needed, 2 * (*allocated_size)) :
         min_size_needed;
 
         FFMAX(min_size_needed, 2 * (*allocated_size)) :
         min_size_needed;
 
-    if((unsigned)(*ctts_count) + 1 >= UINT_MAX / sizeof(MOVStts))
+    if((unsigned)(*ctts_count) >= UINT_MAX / sizeof(MOVStts) - 1)
         return -1;
 
     ctts_buf_new = av_fast_realloc(*ctts_data, allocated_size, requested_size);
         return -1;
 
     ctts_buf_new = av_fast_realloc(*ctts_data, allocated_size, requested_size);