Message ID | 20201019024212.38561-1-ruc_zhangxiaohui@163.com |
---|---|
State | New |
Headers | show |
Series | [FFmpeg-devel,1/1] libavformat/mov: Add bound checks to avoid integer overflow and invalid memory allocation | expand |
Context | Check | Description |
---|---|---|
andriy/x86_make_warn | warning | New warnings during build |
andriy/x86_make | success | Make finished |
andriy/x86_make_fate | fail | Make fate failed |
andriy/PPC64_make | success | Make finished |
andriy/PPC64_make_fate | warning | Make fate failed |
> On Oct 19, 2020, at 10:42 AM, Xiaohui Zhang <ruc_zhangxiaohui@163.com> wrote: > > From: Zhang Xiaohui <ruc_zhangxiaohui@163.com> > > Hi, I think function mov_read_cmov fails to perform proper bounds > checking on atom.size and cmov_len, which may lead to integer > overflow and invalid memory allocation. > > Signed-off-by: Zhang Xiaohui <ruc_zhangxiaohui@163.com> > --- > libavformat/mov.c | 4 ++++ > 1 file changed, 4 insertions(+) > > diff --git a/libavformat/mov.c b/libavformat/mov.c > index 7fd43a8fc5..245c720e42 100644 > --- a/libavformat/mov.c > +++ b/libavformat/mov.c > @@ -5181,8 +5181,12 @@ static int mov_read_cmov(MOVContext *c, AVIOContext *pb, MOVAtom atom) > if (avio_rl32(pb) != MKTAG('c','m','v','d')) > return AVERROR_INVALIDDATA; > moov_len = avio_rb32(pb); /* uncompressed size */ > + if (atom.size > LONG_MAX + 6 * 4) > + return AVERROR_INVALIDDATA; LONG_MAX + 6 * 4 leads to overflow. > cmov_len = atom.size - 6 * 4; > > + if (cmov_len <= 0) > + return AVERROR_INVALIDDATA; > cmov_data = av_malloc(cmov_len); > if (!cmov_data) > return AVERROR(ENOMEM); > -- > 2.17.1 > > _______________________________________________ > ffmpeg-devel mailing list > ffmpeg-devel@ffmpeg.org > https://ffmpeg.org/mailman/listinfo/ffmpeg-devel > > To unsubscribe, visit link above, or email > ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
diff --git a/libavformat/mov.c b/libavformat/mov.c index 7fd43a8fc5..245c720e42 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -5181,8 +5181,12 @@ static int mov_read_cmov(MOVContext *c, AVIOContext *pb, MOVAtom atom) if (avio_rl32(pb) != MKTAG('c','m','v','d')) return AVERROR_INVALIDDATA; moov_len = avio_rb32(pb); /* uncompressed size */ + if (atom.size > LONG_MAX + 6 * 4) + return AVERROR_INVALIDDATA; cmov_len = atom.size - 6 * 4; + if (cmov_len <= 0) + return AVERROR_INVALIDDATA; cmov_data = av_malloc(cmov_len); if (!cmov_data) return AVERROR(ENOMEM);