[FFmpeg-devel] libavformat/mov: Fix heap buffer overflow.

Message ID	20180531174129.217682-1-modmaker@google.com
State	Accepted
Commit	9827bb88e7dc55d5aaeddfaa3d1ba80a7489566c
Headers	show Delivered-To: ffmpegpatchwork@gmail.com Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; MIME-Version: 1.0 Date: Thu, 31 May 2018 10:41:29 -0700 Message-Id: <20180531174129.217682-1-modmaker@google.com> From: Jacob Trimble <modmaker-at-google.com@ffmpeg.org> To: ffmpeg-devel@ffmpeg.org Subject: [FFmpeg-devel] [PATCH] libavformat/mov: Fix heap buffer overflow. Precedence: list Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org> Cc: Jacob Trimble <modmaker@google.com> Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>

Message ID

20180531174129.217682-1-modmaker@google.com

State

Accepted

Commit

9827bb88e7dc55d5aaeddfaa3d1ba80a7489566c

Headers

Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
	designates 79.124.17.100 as permitted sender)
	client-ip=79.124.17.100; 
MIME-Version: 1.0
Date: Thu, 31 May 2018 10:41:29 -0700
Message-Id: <20180531174129.217682-1-modmaker@google.com>
From: Jacob Trimble <modmaker-at-google.com@ffmpeg.org>
To: ffmpeg-devel@ffmpeg.org
Subject: [FFmpeg-devel] [PATCH] libavformat/mov: Fix heap buffer overflow.
Precedence: list
Reply-To: FFmpeg development discussions and patches
	<ffmpeg-devel@ffmpeg.org>
Cc: Jacob Trimble <modmaker@google.com>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>

Comments

Michael Niedermayer June 2, 2018, 12:07 a.m. UTC | #1

On Thu, May 31, 2018 at 10:41:29AM -0700, Jacob Trimble wrote:
> Found by Chrome's ClusterFuzz: https://crbug.com/847060
> 
> Signed-off-by: Jacob Trimble <modmaker@google.com>
> ---
>  libavformat/mov.c | 6 +++---
>  1 file changed, 3 insertions(+), 3 deletions(-)

will apply

thanks

[...]

diff --git a/libavformat/mov.c b/libavformat/mov.c
index f2a540ad50..08cc382a68 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -5895,7 +5895,7 @@  static int mov_read_senc(MOVContext *c, AVIOContext *pb, MOVAtom atom)
         return AVERROR(ENOMEM);
 
     for (i = 0; i < sample_count; i++) {
-        unsigned int min_samples = FFMIN(FFMAX(i, 1024 * 1024), sample_count);
+        unsigned int min_samples = FFMIN(FFMAX(i + 1, 1024 * 1024), sample_count);
         encrypted_samples = av_fast_realloc(encryption_index->encrypted_samples, &alloc_size,
                                             min_samples * sizeof(*encrypted_samples));
         if (encrypted_samples) {
@@ -5949,7 +5949,7 @@  static int mov_parse_auxiliary_info(MOVContext *c, MOVStreamContext *sc, AVIOCon
     }
 
     for (i = 0; i < sample_count && !pb->eof_reached; i++) {
-        unsigned int min_samples = FFMIN(FFMAX(i, 1024 * 1024), sample_count);
+        unsigned int min_samples = FFMIN(FFMAX(i + 1, 1024 * 1024), sample_count);
         encrypted_samples = av_fast_realloc(encryption_index->encrypted_samples, &alloc_size,
                                             min_samples * sizeof(*encrypted_samples));
         if (!encrypted_samples) {
@@ -6110,7 +6110,7 @@  static int mov_read_saio(MOVContext *c, AVIOContext *pb, MOVAtom atom)
         return AVERROR(ENOMEM);
 
     for (i = 0; i < entry_count && !pb->eof_reached; i++) {
-        unsigned int min_offsets = FFMIN(FFMAX(i, 1024), entry_count);
+        unsigned int min_offsets = FFMIN(FFMAX(i + 1, 1024), entry_count);
         auxiliary_offsets = av_fast_realloc(
             encryption_index->auxiliary_offsets, &alloc_size,
             min_offsets * sizeof(*auxiliary_offsets));

[FFmpeg-devel] libavformat/mov: Fix heap buffer overflow.

Commit Message

Comments

Patch