From patchwork Wed Sep 7 21:38:48 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sergey Volk X-Patchwork-Id: 470 Delivered-To: ffmpegpatchwork@gmail.com Received: by 10.103.140.134 with SMTP id o128csp513213vsd; Wed, 7 Sep 2016 14:39:09 -0700 (PDT) X-Received: by 10.28.50.199 with SMTP id y190mr6065098wmy.61.1473284349084; Wed, 07 Sep 2016 14:39:09 -0700 (PDT) Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id hv4si37602396wjb.279.2016.09.07.14.39.00; Wed, 07 Sep 2016 14:39:09 -0700 (PDT) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@google.com; dkim=neutral (body hash did not verify) header.i=@chromium.org; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org; dmarc=fail (p=NONE dis=NONE) header.from=chromium.org Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 5D9CA68A0BE; Thu, 8 Sep 2016 00:38:48 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from mail-it0-f44.google.com (mail-it0-f44.google.com [209.85.214.44]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 459AC68A08F for ; Thu, 8 Sep 2016 00:38:41 +0300 (EEST) Received: by mail-it0-f44.google.com with SMTP id e124so222223556ith.0 for ; Wed, 07 Sep 2016 14:38:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to; bh=CT2698BXZEkbAXha/MsclHNdldHHVoSsXoiRVVRhxfg=; b=hhya6KqYIFVRoTSgfVuVoLLmyjiMbTC6/TCpjQGtnTUZUcjjkqF7YSyQ/qY9RGaidb E0zhEkxZkWOSBHMlDrHvnbAODLCcCXaVmfW7ePA0JWbJgAadKYUrU85G/ZjTfYMmkycI FiIG8WqoyCi0eq5IKO2Q2SSuZaqLT9KtyRlcupjcioIBaxu6ZEalb4Zb5hONRmHZy1Sm z0APSlB5WQFrKI+B9J+61IzZZDn5p06ZMTC8YM4LAzXme4C11gJfZirxHh6A8mby8gRy 9WtQ00Yp2WOquiXI3VgvC1E5RtS24hpWC7SmfC3XnkcrJuRgAuVOi/VqUsa2uebc5OQg QYQw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to; bh=CT2698BXZEkbAXha/MsclHNdldHHVoSsXoiRVVRhxfg=; b=SBXTG/xJxPhI5UCtXdd5fhpjBTP+zGsUzpLB1eD5iZz4hhMFnxupF/uli9wP7p6z5h CZSutv1n27epvVq7dQqIGVENBbt6IRS03JAw7BkLaTEMK0x17Z7mirNPLJ6/XT+upy2T Mbl2g+SO6ZQI1O/aJsFmxDVVjJZBOs9/EiFdI= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to; bh=CT2698BXZEkbAXha/MsclHNdldHHVoSsXoiRVVRhxfg=; b=AHBfWmeW1VLsvxAbqh24944yo7XCY0N2Qezp/nUcDhgHAuoSC+/Ib7uvxfcj0CRJHt L9Lz71q3QWX8poxaj3ZS6cezona58SrpsbSbQfwAdBltwqALVjxZUixEk3Dsff4Fj8fh o17O/nIKKmg0LbSgdFhFFHSLtTJgqiiIMu9JpFZAnqkcnFNpk1WPnDDAeBnLrHi0j89Q ej2wBP7oJTbJR+WNJxP6Xz/Oqm5SiFLHEwLr0XUonRK8/2YmiW0oyac8HyLxf/0NcfjK yXFrpCMJiYupQ8DKo/RVKoxjrc80ldlz2gQNoz+zTxvnW0jbm25Tjv0VZrki5agFBtS1 N+wg== X-Gm-Message-State: AE9vXwPczkSnshqSdljEgCJM2MXjntlPWBNU65rGLGloquEeISmqEzcPKZ2FynSXTRouCBcmdDRqwKjszqyJBeIx X-Received: by 10.36.77.85 with SMTP id l82mr10063858itb.77.1473284329293; Wed, 07 Sep 2016 14:38:49 -0700 (PDT) MIME-Version: 1.0 Received: by 10.36.200.65 with HTTP; Wed, 7 Sep 2016 14:38:48 -0700 (PDT) In-Reply-To: References: From: Sergey Volk Date: Wed, 7 Sep 2016 14:38:48 -0700 X-Google-Sender-Auth: 31fmaCjaoQanTkS7PIzYjYOkWMg Message-ID: To: FFmpeg development discussions and patches X-Content-Filtered-By: Mailman/MimeDel 2.1.20 Subject: Re: [FFmpeg-devel] [PATCH] Fix potential integer overflow in mov_read_keys X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" I just realized that count+1 itself might overflow if count==UINT_MAX, so I guess it's better to subtract 1 from the right-hand side. Attached updated patch. On Wed, Sep 7, 2016 at 2:21 PM, Sergey Volk wrote: > Actual allocation size is computed as (count + 1)*sizeof(meta_keys), so > we need to check that (count + 1) won't cause overflow. > > From 87a7a2e202ebb63362715054773a89ce1fc71743 Mon Sep 17 00:00:00 2001 From: Sergey Volk Date: Wed, 7 Sep 2016 14:05:35 -0700 Subject: [PATCH] Fix potential integer overflow in mov_read_keys Actual allocation size is computed as (count + 1)*sizeof(meta_keys), so we need to check that (count + 1) won't cause overflow. --- libavformat/mov.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index f499906..a7595c5 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -3278,7 +3278,7 @@ static int mov_read_keys(MOVContext *c, AVIOContext *pb, MOVAtom atom) avio_skip(pb, 4); count = avio_rb32(pb); - if (count > UINT_MAX / sizeof(*c->meta_keys)) { + if (count > UINT_MAX / sizeof(*c->meta_keys) - 1) { av_log(c->fc, AV_LOG_ERROR, "The 'keys' atom with the invalid key count: %d\n", count); return AVERROR_INVALIDDATA; -- 2.8.0.rc3.226.g39d4020