[FFmpeg-devel] avformat/mov: Move +1 in check to avoid hypothetical overflow in add_ctts_entry()

Submitted by Michael Niedermayer on Feb. 3, 2018, 9:45 p.m.

Details

Message ID 20180203214524.14908-1-michael@niedermayer.cc
State Accepted
Commit eb60b9d3aaaa42265fb1960be6fff6383cfdbf37
Headers show

Commit Message

Michael Niedermayer Feb. 3, 2018, 9:45 p.m.
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/mov.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Michael Niedermayer March 26, 2018, 12:18 a.m.
On Sat, Feb 03, 2018 at 10:45:24PM +0100, Michael Niedermayer wrote:
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>  libavformat/mov.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)

will apply

[...]

Patch hide | download patch | download mbox

diff --git a/libavformat/mov.c b/libavformat/mov.c
index d16b431e03..a9b9ec025f 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -3233,7 +3233,7 @@  static int64_t add_ctts_entry(MOVStts** ctts_data, unsigned int* ctts_count, uns
         FFMAX(min_size_needed, 2 * (*allocated_size)) :
         min_size_needed;
 
-    if((unsigned)(*ctts_count) + 1 >= UINT_MAX / sizeof(MOVStts))
+    if((unsigned)(*ctts_count) >= UINT_MAX / sizeof(MOVStts) - 1)
         return -1;
 
     ctts_buf_new = av_fast_realloc(*ctts_data, allocated_size, requested_size);