diff mbox

[FFmpeg-devel] Fix potential integer overflow in mov_read_keys

Message ID CAP5JBsRkephKJL7KKsAdqnEB0-oyjiF2MB0sEg012T1MdvC7qA@mail.gmail.com
State Accepted
Headers show

Commit Message

Sergey Volk Sept. 7, 2016, 9:38 p.m. UTC
I just realized that count+1 itself might overflow if count==UINT_MAX, so I
guess it's better to subtract 1 from the right-hand side. Attached updated
patch.

On Wed, Sep 7, 2016 at 2:21 PM, Sergey Volk <servolk@chromium.org> wrote:

> Actual allocation size is computed as (count + 1)*sizeof(meta_keys), so
> we need to check that (count + 1) won't cause overflow.
>
>

Comments

Michael Niedermayer Sept. 8, 2016, 9:37 a.m. UTC | #1
On Wed, Sep 07, 2016 at 02:38:48PM -0700, Sergey Volk wrote:
> I just realized that count+1 itself might overflow if count==UINT_MAX, so I
> guess it's better to subtract 1 from the right-hand side. Attached updated
> patch.
> 
> On Wed, Sep 7, 2016 at 2:21 PM, Sergey Volk <servolk@chromium.org> wrote:
> 
> > Actual allocation size is computed as (count + 1)*sizeof(meta_keys), so
> > we need to check that (count + 1) won't cause overflow.
> >
> >

>  mov.c |    2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 5f372bd81ec31f48d8a4b78f82a4ab9c82a9bb43  0001-Fix-potential-integer-overflow-in-mov_read_keys.patch
> From 87a7a2e202ebb63362715054773a89ce1fc71743 Mon Sep 17 00:00:00 2001
> From: Sergey Volk <servolk@google.com>
> Date: Wed, 7 Sep 2016 14:05:35 -0700
> Subject: [PATCH] Fix potential integer overflow in mov_read_keys
> 
> Actual allocation size is computed as (count + 1)*sizeof(meta_keys), so
> we need to check that (count + 1) won't cause overflow.
> ---
>  libavformat/mov.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)

applied

thx

[...]
diff mbox

Patch

From 87a7a2e202ebb63362715054773a89ce1fc71743 Mon Sep 17 00:00:00 2001
From: Sergey Volk <servolk@google.com>
Date: Wed, 7 Sep 2016 14:05:35 -0700
Subject: [PATCH] Fix potential integer overflow in mov_read_keys

Actual allocation size is computed as (count + 1)*sizeof(meta_keys), so
we need to check that (count + 1) won't cause overflow.
---
 libavformat/mov.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavformat/mov.c b/libavformat/mov.c
index f499906..a7595c5 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -3278,7 +3278,7 @@  static int mov_read_keys(MOVContext *c, AVIOContext *pb, MOVAtom atom)
 
     avio_skip(pb, 4);
     count = avio_rb32(pb);
-    if (count > UINT_MAX / sizeof(*c->meta_keys)) {
+    if (count > UINT_MAX / sizeof(*c->meta_keys) - 1) {
         av_log(c->fc, AV_LOG_ERROR,
                "The 'keys' atom with the invalid key count: %d\n", count);
         return AVERROR_INVALIDDATA;
-- 
2.8.0.rc3.226.g39d4020