[FFmpeg-devel] stsz overflow

Frank Barchard fbarchard
Mon Aug 24 23:07:46 CEST 2009


Large stsz can cause the malloc expression to overflow, which will quietly
allocate too little memory and crash later.

Index: libavformat/mov.c
===================================================================
--- libavformat/mov.c   (revision 19695)
+++ libavformat/mov.c   (working copy)
@@ -1262,6 +1262,8 @@
     if (!sc->sample_sizes)
         return AVERROR(ENOMEM);

+    if(entries >= UINT_MAX / (sizeof(int)*8))
+        return -1;
     num_bytes = (entries*field_size+4)>>3;

     buf = av_malloc(num_bytes+FF_INPUT_BUFFER_PADDING_SIZE);



More information about the ffmpeg-devel mailing list