Message ID | CAADho6NTPc6D7K8qVwX-5_cQHYHvfCK+g-50-4jrBH1kBgiU8w@mail.gmail.com |
---|---|
State | Superseded |
Headers | show |
On 15.12.2016 00:36, Matthew Wolenetz wrote: > From 9d45f272a682b0ea831c20e36f696e15cc0c55fe Mon Sep 17 00:00:00 2001 > From: Matt Wolenetz <wolenetz@chromium.org> > Date: Tue, 6 Dec 2016 12:33:08 -0800 > Subject: [PATCH] lavf/mov.c: Avoid heap allocation wrap in mov_read_uuid > > Core of patch is from paul@paulmehta.com > Reference https://crbug.com/643951 > --- > libavformat/mov.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/libavformat/mov.c b/libavformat/mov.c > index 7254505..e506d20 100644 > --- a/libavformat/mov.c > +++ b/libavformat/mov.c > @@ -4393,6 +4393,8 @@ static int mov_read_uuid(MOVContext *c, AVIOContext *pb, MOVAtom atom) > } else if (!memcmp(uuid, uuid_xmp, sizeof(uuid))) { > uint8_t *buffer; > size_t len = atom.size - sizeof(uuid); > + if (len >= UINT_MAX) This should also use SIZE_MAX. > + return AVERROR_INVALIDDATA; > > buffer = av_mallocz(len + 1); > if (!buffer) { Best regards, Andreas
From 9d45f272a682b0ea831c20e36f696e15cc0c55fe Mon Sep 17 00:00:00 2001 From: Matt Wolenetz <wolenetz@chromium.org> Date: Tue, 6 Dec 2016 12:33:08 -0800 Subject: [PATCH] lavf/mov.c: Avoid heap allocation wrap in mov_read_uuid Core of patch is from paul@paulmehta.com Reference https://crbug.com/643951 --- libavformat/mov.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index 7254505..e506d20 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -4393,6 +4393,8 @@ static int mov_read_uuid(MOVContext *c, AVIOContext *pb, MOVAtom atom) } else if (!memcmp(uuid, uuid_xmp, sizeof(uuid))) { uint8_t *buffer; size_t len = atom.size - sizeof(uuid); + if (len >= UINT_MAX) + return AVERROR_INVALIDDATA; buffer = av_mallocz(len + 1); if (!buffer) { -- 2.8.0.rc3.226.g39d4020