From patchwork Wed Dec 14 23:34:14 2016
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Matthew Wolenetz <wolenetz@chromium.org>
X-Patchwork-Id: 1785
Delivered-To: ffmpegpatchwork@gmail.com
Received: by 10.103.65.86 with SMTP id o83csp444038vsa;
	Wed, 14 Dec 2016 15:35:05 -0800 (PST)
X-Received: by 10.28.48.7 with SMTP id w7mr9128907wmw.115.1481758505562;
	Wed, 14 Dec 2016 15:35:05 -0800 (PST)
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100])
	by mx.google.com with ESMTP id
	zb5si56768041wjb.222.2016.12.14.15.35.05;
	Wed, 14 Dec 2016 15:35:05 -0800 (PST)
Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
	designates 79.124.17.100 as permitted sender)
	client-ip=79.124.17.100;
Authentication-Results: mx.google.com;
	dkim=neutral (body hash did not verify) header.i=@google.com;
	dkim=neutral (body hash did not verify) header.i=@chromium.org;
	spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
	designates 79.124.17.100 as permitted sender)
	smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org;
	dmarc=fail (p=NONE dis=NONE) header.from=chromium.org
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 43C75680D3A;
	Thu, 15 Dec 2016 01:34:57 +0200 (EET)
X-Original-To: ffmpeg-devel@ffmpeg.org
Delivered-To: ffmpeg-devel@ffmpeg.org
Received: from mail-io0-f182.google.com (mail-io0-f182.google.com
	[209.85.223.182])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 4F7A6680CA6
	for <ffmpeg-devel@ffmpeg.org>; Thu, 15 Dec 2016 01:34:50 +0200 (EET)
Received: by mail-io0-f182.google.com with SMTP id 136so54647849iou.3
	for <ffmpeg-devel@ffmpeg.org>; Wed, 14 Dec 2016 15:34:56 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
	s=20161025;
	h=mime-version:sender:from:date:message-id:subject:to;
	bh=+NCGKPMOA9zNhNBxiyQX2bcb4y3F/zADb5zbiCdzrOk=;
	b=iJrKnxMbet4aQv5m+ACKI0DerkLaxkhP/GqH91lLmhLIf35GtXt5dnyK/UorD7wwLG
	XrG+K6kfXmA1KNefUcSwoLvYIZ2liN1X4eKYL7q0fDQu1YdDEo+RJvo411tB5e4KHMXk
	BgF90MDfRxR3rMoZAXZZGL+9QkolM3GH4aMiPOCXeoPyofarB4BCnbJknY/KvYJk12rW
	bPFwYnC0LaodsGAGn/FJd34399ttpt5x1oqA9cZeq74tpjnxssoh4nvZRa7WqUHgK8u5
	1z+FjTiwQ2A9/4KsvCd28/3XBNt5WdfVyqf6SdvIQB/GkeK8PcwGJCx1Ag4FmJMshhS2
	BwNA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org;
	s=google;
	h=mime-version:sender:from:date:message-id:subject:to;
	bh=+NCGKPMOA9zNhNBxiyQX2bcb4y3F/zADb5zbiCdzrOk=;
	b=R2QtfxUjITq67ETtUW3TTNvJowkj1fcVRqkjgGjfjFqSXktVwjJq7xW9PnVyQPvi3y
	prRra7coyjlNIAnFd8e5x30vV2CkFlipNEf07ZGTw5oTPpDingVQwzld3N8ieQNzMAip
	FR1O8eFUQutjnsIKpowTK+7bwePnkMi6Fz19o=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:mime-version:sender:from:date:message-id:subject
	:to; bh=+NCGKPMOA9zNhNBxiyQX2bcb4y3F/zADb5zbiCdzrOk=;
	b=qcT9CqDwqc5yb+Ik/r4SFcTazGP1Xw49am6Mk26bKan0LPAlCFD3KnQovTVhmfg4BA
	1nZtL/GT7I7t5r9dSDKfn67CBAXrJMxAtTzjI+DK44uYzkJXWOqJ/80XgzE3cb/dUebE
	bvr3Sd1djlfJeDWzy2d5ofgznWX4R7c3ZOJYRrQZ71H4ws3/Gw28vOGZ9r9XweCbQfYY
	dBuBNTF3PZlVarcFMUlGvJYQg7z9c/tt9Wzt128w84DpEN5Cc4ylH/EW1x1rohavvqJQ
	+Gm14N+01OqcBzqrzrVEUnP0Cw7vDSDDAiYmgVs0qMpeCpl5WNpHyW07c1HQNNYUvWlC
	no6g==
X-Gm-Message-State: 
 AKaTC036UxPJGm5WbJ6cAo95QEZxSepOlau71PkeqG1qkKccedBU2/hfECk5krUNKZzL7ielA3t2K7DVM79I5Hc8
X-Received: by 10.107.17.105 with SMTP id z102mr8580514ioi.165.1481758494605;
	Wed, 14 Dec 2016 15:34:54 -0800 (PST)
MIME-Version: 1.0
Received: by 2002:a17:908:2cd5:0:0:0:0 with HTTP; Wed, 14 Dec 2016 15:34:14
	-0800 (PST)
From: Matthew Wolenetz <wolenetz@chromium.org>
Date: Wed, 14 Dec 2016 15:34:14 -0800
X-Google-Sender-Auth: GLRYWZcS-WBfSIJxSYWDhvG0A5s
Message-ID: 
 <CAADho6Mv96M5rSJw0y_Qf1E-v1dNxR=6KCM2cq5Gca05W8sR6g@mail.gmail.com>
To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
X-Content-Filtered-By: Mailman/MimeDel 2.1.20
Subject: [FFmpeg-devel] [PATCH] lavf/mov.c: Avoid heap allocation wrap in
	mov_read_hdlr
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <http://ffmpeg.org/mailman/options/ffmpeg-devel>,
	<mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <http://ffmpeg.org/pipermail/ffmpeg-devel/>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <http://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
	<mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches
	<ffmpeg-devel@ffmpeg.org>
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>

Core of patch is from paul@paulmehta.com
Reference https://crbug.com/643950

From fd878457cd55690d4a27d74411b68a30c9fb2313 Mon Sep 17 00:00:00 2001
From: Matt Wolenetz <wolenetz@chromium.org>
Date: Fri, 2 Dec 2016 18:10:39 -0800
Subject: [PATCH] lavf/mov.c: Avoid heap allocation wrap in mov_read_hdlr

Core of patch is from paul@paulmehta.com
Reference https://crbug.com/643950
---
 libavformat/mov.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/libavformat/mov.c b/libavformat/mov.c
index 2a69890..7254505 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -739,6 +739,8 @@ static int mov_read_hdlr(MOVContext *c, AVIOContext *pb, MOVAtom atom)
 
     title_size = atom.size - 24;
     if (title_size > 0) {
+        if (title_size >= UINT_MAX)
+            return AVERROR_INVALIDDATA;
         title_str = av_malloc(title_size + 1); /* Add null terminator */
         if (!title_str)
             return AVERROR(ENOMEM);
-- 
2.8.0.rc3.226.g39d4020