From 1a1ad08dfdb4d3c76c64fc3d569ad360b737b0d6 Mon Sep 17 00:00:00 2001
From: Matt Wolenetz <wolenetz@google.com>
Date: Wed, 8 Feb 2017 15:40:46 -0800
Subject: [PATCH] lavf/mov.c: Avoid OOB in mov_read_udta_string()
Core of patch is from paul@paulmehta.com
Reference https://crbug.com/643952 (udta_string portion)
Signed-off-by: Matt Wolenetz <wolenetz@chromium.org>
---
libavformat/mov.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
@@ -407,11 +407,11 @@ retry:
return ret;
} else if (!key && c->found_hdlr_mdta && c->meta_keys) {
uint32_t index = AV_RB32(&atom.type);
- if (index < c->meta_keys_count) {
+ if (index < c->meta_keys_count && index > 0) {
key = c->meta_keys[index];
} else {
av_log(c->fc, AV_LOG_WARNING,
- "The index of 'data' is out of range: %d >= %d.\n",
+ "The index of 'data' is out of range: %d < 1 or >= %d.\n",
index, c->meta_keys_count);
}
}
--
2.11.0.483.g087da7b7c-goog