diff mbox series

[FFmpeg-devel,1/1] libavformat/mov: Add bound checks to avoid integer overflow and invalid memory allocation

Message ID 20201019024212.38561-1-ruc_zhangxiaohui@163.com
State New
Headers show
Series [FFmpeg-devel,1/1] libavformat/mov: Add bound checks to avoid integer overflow and invalid memory allocation
Related show

Checks

Context Check Description
andriy/x86_make_warn warning New warnings during build
andriy/x86_make success Make finished
andriy/x86_make_fate fail Make fate failed
andriy/PPC64_make success Make finished
andriy/PPC64_make_fate warning Make fate failed

Commit Message

Xiaohui Zhang Oct. 19, 2020, 2:42 a.m. UTC
From: Zhang Xiaohui <ruc_zhangxiaohui@163.com>

Hi, I think function mov_read_cmov fails to perform proper bounds
checking on atom.size and cmov_len, which may lead to integer
overflow and invalid memory allocation.

Signed-off-by: Zhang Xiaohui <ruc_zhangxiaohui@163.com>
---
 libavformat/mov.c | 4 ++++
 1 file changed, 4 insertions(+)

Comments

Zhao Zhili Oct. 19, 2020, 8:03 a.m. UTC | #1
> On Oct 19, 2020, at 10:42 AM, Xiaohui Zhang <ruc_zhangxiaohui@163.com> wrote:
> 
> From: Zhang Xiaohui <ruc_zhangxiaohui@163.com>
> 
> Hi, I think function mov_read_cmov fails to perform proper bounds
> checking on atom.size and cmov_len, which may lead to integer
> overflow and invalid memory allocation.
> 
> Signed-off-by: Zhang Xiaohui <ruc_zhangxiaohui@163.com>
> ---
> libavformat/mov.c | 4 ++++
> 1 file changed, 4 insertions(+)
> 
> diff --git a/libavformat/mov.c b/libavformat/mov.c
> index 7fd43a8fc5..245c720e42 100644
> --- a/libavformat/mov.c
> +++ b/libavformat/mov.c
> @@ -5181,8 +5181,12 @@ static int mov_read_cmov(MOVContext *c, AVIOContext *pb, MOVAtom atom)
>     if (avio_rl32(pb) != MKTAG('c','m','v','d'))
>         return AVERROR_INVALIDDATA;
>     moov_len = avio_rb32(pb); /* uncompressed size */
> +    if (atom.size > LONG_MAX + 6 * 4)
> +        return AVERROR_INVALIDDATA;

LONG_MAX + 6 * 4 leads to overflow.

>     cmov_len = atom.size - 6 * 4;
> 
> +    if (cmov_len <= 0)
> +        return AVERROR_INVALIDDATA;
>     cmov_data = av_malloc(cmov_len);
>     if (!cmov_data)
>         return AVERROR(ENOMEM);
> -- 
> 2.17.1
> 
> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel@ffmpeg.org
> https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
> 
> To unsubscribe, visit link above, or email
> ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
diff mbox series

Patch

diff --git a/libavformat/mov.c b/libavformat/mov.c
index 7fd43a8fc5..245c720e42 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -5181,8 +5181,12 @@  static int mov_read_cmov(MOVContext *c, AVIOContext *pb, MOVAtom atom)
     if (avio_rl32(pb) != MKTAG('c','m','v','d'))
         return AVERROR_INVALIDDATA;
     moov_len = avio_rb32(pb); /* uncompressed size */
+    if (atom.size > LONG_MAX + 6 * 4)
+        return AVERROR_INVALIDDATA;
     cmov_len = atom.size - 6 * 4;
 
+    if (cmov_len <= 0)
+        return AVERROR_INVALIDDATA;
     cmov_data = av_malloc(cmov_len);
     if (!cmov_data)
         return AVERROR(ENOMEM);