From patchwork Wed Sep 7 21:21:38 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sergey Volk X-Patchwork-Id: 469 Delivered-To: ffmpegpatchwork@gmail.com Received: by 10.103.140.134 with SMTP id o128csp509552vsd; Wed, 7 Sep 2016 14:28:28 -0700 (PDT) X-Received: by 10.194.119.197 with SMTP id kw5mr22210922wjb.143.1473283708647; Wed, 07 Sep 2016 14:28:28 -0700 (PDT) Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id z189si5552887wmb.70.2016.09.07.14.28.27; Wed, 07 Sep 2016 14:28:28 -0700 (PDT) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@google.com; dkim=neutral (body hash did not verify) header.i=@chromium.org; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org; dmarc=fail (p=NONE dis=NONE) header.from=chromium.org Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 4D2E168A16C; Thu, 8 Sep 2016 00:28:16 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from mail-it0-f47.google.com (mail-it0-f47.google.com [209.85.214.47]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id A612C689EC3 for ; Thu, 8 Sep 2016 00:28:09 +0300 (EEST) Received: by mail-it0-f47.google.com with SMTP id e124so221788497ith.0 for ; Wed, 07 Sep 2016 14:28:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:sender:from:date:message-id:subject:to; bh=yKEnFgquNrYgwJrKQFA4+StxMuyC7c//5IsxyACHKsw=; b=lG74Ynhr/EC8dD9NT7jrmOWzOgucTJZU1Uz66GgCMdbdSjzoPtXZ19ycqOdMiJcztm h/U29coVg6nVWlrn3+hcJOrlg0AgmAEo7ju56qug6lrrrYNLlDF29QHbqwE/eh3LQ4zb xBa9SCwQdMgZRH78GymFdkrgvCY/GC3h1RVFqieIe/RZwBHam7eKRK+RYy7yUkfjv7ad +DX3IJQgyVvPvigJ8kH45DTl25R5Qqbk49az+xwx4auUpBJ0u7bMS1iaVqGKX+Ko7kfx jfxERz8WnG3qDJJmwan3n8iAJDI0TP5mW08/I2wBcKhTtL+OEUpQ97I4BhYUrtTmCb/Q hmDw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:sender:from:date:message-id:subject:to; bh=yKEnFgquNrYgwJrKQFA4+StxMuyC7c//5IsxyACHKsw=; b=DExnh+tBX4+k+E9xdhYRiyxVm+HZ0VDH8b/AyRbP4V9z0+l+8MntwFUZ8lhaqY/kAI EQ2mCKEhMcbFPCei1y8FdRAPVRagQK5w0bXfTSInm1OPZQfccj8hQAfLpcLTx9VUlCP+ homX4xcLWViJ3xsf/H01yQZwzYJrCSHnVV5OA= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:from:date:message-id:subject :to; bh=yKEnFgquNrYgwJrKQFA4+StxMuyC7c//5IsxyACHKsw=; b=OM5lq4dKB3TWZN2R2komzQxIUo5eDZ8bO/IE5x/d2HTFPbckGo4CGGc3frsIUGieXT GQ4p/8GhMFTfPtXLxDCvfFOJouvInpFAYFMXyANtGxgEVrTFPgxSFVDy473QlnAxsL5y RxBNJZpmi24l2kD9GnPAR5sgdDai20eupchMPFi3EUfzbSSX1DWwth4HhNDc+Obh3tN+ m1ct+JZwo+pwe/2vcvUKsw6QTJGO2hBmECDJSAPfJQQPcYDj43H1Lb21W98RimsWfbt9 6zaEzQrKsWgtAQqtuTgW9BU/n9sV+qHSzUQ+MKa03rY11GfCebRN6BIjNoX71hluCOdL YvQQ== X-Gm-Message-State: AE9vXwPxT+xu/G4eh+U7PYRTGNAFGYMIKHxhNsj19mNnTtuPiIDC5HCC+HFv3PWNL2Vxeg3PDk9ogJFkqaY+ibkM X-Received: by 10.36.77.85 with SMTP id l82mr9951043itb.77.1473283299600; Wed, 07 Sep 2016 14:21:39 -0700 (PDT) MIME-Version: 1.0 Received: by 10.36.200.65 with HTTP; Wed, 7 Sep 2016 14:21:38 -0700 (PDT) From: Sergey Volk Date: Wed, 7 Sep 2016 14:21:38 -0700 X-Google-Sender-Auth: 7OEkIrFMdR7ORt1LhRh4KMbB00I Message-ID: To: FFmpeg development discussions and patches X-Content-Filtered-By: Mailman/MimeDel 2.1.20 Subject: [FFmpeg-devel] [PATCH] Fix potential integer overflow in mov_read_keys X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" Actual allocation size is computed as (count + 1)*sizeof(meta_keys), so we need to check that (count + 1) won't cause overflow. From cfc0f5a099284c95476d5c020dca05fb743ff5ae Mon Sep 17 00:00:00 2001 From: Sergey Volk Date: Wed, 7 Sep 2016 14:05:35 -0700 Subject: [PATCH] Fix potential integer overflow in mov_read_keys Actual allocation size is computed as (count + 1)*sizeof(meta_keys), so we need to check that (count + 1) won't cause overflow. --- libavformat/mov.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index f499906..ea7d051 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -3278,7 +3278,7 @@ static int mov_read_keys(MOVContext *c, AVIOContext *pb, MOVAtom atom) avio_skip(pb, 4); count = avio_rb32(pb); - if (count > UINT_MAX / sizeof(*c->meta_keys)) { + if (count + 1 > UINT_MAX / sizeof(*c->meta_keys)) { av_log(c->fc, AV_LOG_ERROR, "The 'keys' atom with the invalid key count: %d\n", count); return AVERROR_INVALIDDATA; -- 2.8.0.rc3.226.g39d4020