From patchwork Wed Dec 14 23:36:43 2016
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Matthew Wolenetz <wolenetz@chromium.org>
X-Patchwork-Id: 1786
Delivered-To: ffmpegpatchwork@gmail.com
Received: by 10.103.65.86 with SMTP id o83csp444971vsa;
	Wed, 14 Dec 2016 15:37:34 -0800 (PST)
X-Received: by 10.194.93.104 with SMTP id ct8mr106433755wjb.87.1481758654865;
	Wed, 14 Dec 2016 15:37:34 -0800 (PST)
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100])
	by mx.google.com with ESMTP id 9si9753147wmw.8.2016.12.14.15.37.34;
	Wed, 14 Dec 2016 15:37:34 -0800 (PST)
Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
	designates 79.124.17.100 as permitted sender)
	client-ip=79.124.17.100;
Authentication-Results: mx.google.com;
	dkim=neutral (body hash did not verify) header.i=@google.com;
	dkim=neutral (body hash did not verify) header.i=@chromium.org;
	spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
	designates 79.124.17.100 as permitted sender)
	smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org;
	dmarc=fail (p=NONE dis=NONE) header.from=chromium.org
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id E5477680CC0;
	Thu, 15 Dec 2016 01:37:26 +0200 (EET)
X-Original-To: ffmpeg-devel@ffmpeg.org
Delivered-To: ffmpeg-devel@ffmpeg.org
Received: from mail-it0-f49.google.com (mail-it0-f49.google.com
	[209.85.214.49])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id CB4CA680CC0
	for <ffmpeg-devel@ffmpeg.org>; Thu, 15 Dec 2016 01:37:19 +0200 (EET)
Received: by mail-it0-f49.google.com with SMTP id j191so15132992ita.1
	for <ffmpeg-devel@ffmpeg.org>; Wed, 14 Dec 2016 15:37:25 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
	s=20161025;
	h=mime-version:sender:from:date:message-id:subject:to;
	bh=uadhpj0ORkY2XhLBX5e1L+Xx97flZmK33sosdM/nnWg=;
	b=qZQYXwvV0pk03+g7nSyZnsxyTz4Vmn13CTyjv9swTg/h4YNnLGQSLusQs/83QVqmTZ
	9W2BCn7cQObAUrnCfIK7QkPgIHNI73vb8X5uxJRsQZVOUlMo32w3aaPyn1R/h/lncpMx
	4D90NMAzkU5eKhREN1Cqs59bjqKke2IhX58R173uY35q+5KRBd02KDWNe+kRRYfB5tpD
	L58S9ijSsh4BFPvcMl2jOv3mkoUngl/dBKZk620ymnCnX3PaXQR3yN4rzLbPIXeoHUTz
	+w7l6h65BF6r/uDUwP3bgOY87wyZD7D9GhEAwQo2y9RVE1WuSCcXeQJ8aPDce4aNcT3v
	AtXQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org;
	s=google;
	h=mime-version:sender:from:date:message-id:subject:to;
	bh=uadhpj0ORkY2XhLBX5e1L+Xx97flZmK33sosdM/nnWg=;
	b=Sr4bxAE2E7iW6Z9EhEQ2Pmk5gVs9C5jSlK9gyxQRG8k8IpEi9FmiDf1H7N27Bc7d7t
	qCl2SlNePV0N8MIVf+FWdiZc+sOSjzMk9N/33TU5idomnXjSxgHzCUGuZuige9fsGqnw
	RGGrvuyG8kn5DaWl3kTTzSCMBusDGyN14Tj7o=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:mime-version:sender:from:date:message-id:subject
	:to; bh=uadhpj0ORkY2XhLBX5e1L+Xx97flZmK33sosdM/nnWg=;
	b=dMQvum0+f4mQdzIbo6H/Db03MrHoyF/E6V1uwjSOn3uS6FJPO0wOjpKjbUdGerAo9M
	zIqZ2+AiuyVWmnev8lG18eHo/csW+7JkaNrq/N7KeocMpkJqfX/hxngNSzJEb9NTcRwe
	8KIr/Pd5D4smuv8a20tkJxWQLS87heeBrmpjvJfXB0mSYnzDc1+9VNasa9Q4srsCtUYW
	g4rHdJbc2kyZTeSk7BpELI1QHwjCarEwggGP7sKqBq8pn5Zjz1/fNahQPyxyMImTJoMW
	I9Qi5ZIWGLbYZj1FPD33En742VopeA+lhmElb59Wn6FGjxTvfatabq9m8Z3sR6xZyiPq
	8XEg==
X-Gm-Message-State: 
 AKaTC01MdcDuZuJQNDcbgdmY9PB84IRZ6vCmeWjZh27LtxAvJLYNNziCpj8uIIgQrEx+bjM7ZHHtpRC9kjs/ORoe
X-Received: by 10.36.22.13 with SMTP id a13mr9930880ita.90.1481758644187;
	Wed, 14 Dec 2016 15:37:24 -0800 (PST)
MIME-Version: 1.0
Received: by 2002:a17:908:2cd5:0:0:0:0 with HTTP; Wed, 14 Dec 2016 15:36:43
	-0800 (PST)
From: Matthew Wolenetz <wolenetz@chromium.org>
Date: Wed, 14 Dec 2016 15:36:43 -0800
X-Google-Sender-Auth: XXtgxhCzPKqb3B_FVEM_gJ0um4Y
Message-ID: 
 <CAADho6NTPc6D7K8qVwX-5_cQHYHvfCK+g-50-4jrBH1kBgiU8w@mail.gmail.com>
To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
X-Content-Filtered-By: Mailman/MimeDel 2.1.20
Subject: [FFmpeg-devel] [PATCH] lavf/mov.c: Avoid heap allocation wrap in
	mov_read_uuid
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <http://ffmpeg.org/mailman/options/ffmpeg-devel>,
	<mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <http://ffmpeg.org/pipermail/ffmpeg-devel/>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <http://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
	<mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches
	<ffmpeg-devel@ffmpeg.org>
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>

Core of patch is from paul@paulmehta.com
Reference https://crbug.com/643951

From 9d45f272a682b0ea831c20e36f696e15cc0c55fe Mon Sep 17 00:00:00 2001
From: Matt Wolenetz <wolenetz@chromium.org>
Date: Tue, 6 Dec 2016 12:33:08 -0800
Subject: [PATCH] lavf/mov.c: Avoid heap allocation wrap in mov_read_uuid

Core of patch is from paul@paulmehta.com
Reference https://crbug.com/643951
---
 libavformat/mov.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/libavformat/mov.c b/libavformat/mov.c
index 7254505..e506d20 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -4393,6 +4393,8 @@ static int mov_read_uuid(MOVContext *c, AVIOContext *pb, MOVAtom atom)
     } else if (!memcmp(uuid, uuid_xmp, sizeof(uuid))) {
         uint8_t *buffer;
         size_t len = atom.size - sizeof(uuid);
+        if (len >= UINT_MAX)
+            return AVERROR_INVALIDDATA;
 
         buffer = av_mallocz(len + 1);
         if (!buffer) {
-- 
2.8.0.rc3.226.g39d4020