[FFmpeg-devel] stsz overflow

Frank Barchard fbarchard
Tue Aug 25 00:44:29 CEST 2009


On Mon, Aug 24, 2009 at 2:22 PM, Baptiste Coudurier <
baptiste.coudurier at gmail.com> wrote:
>
> Why sizeof(int)*8 ?
>

Since field_size has been checked, how about that instead.
Plus the code should free the previous alloc to avoid a leak.
Note with this change the code will fail, but avoids a crash.

Index: libavformat/mov.c
===================================================================
--- libavformat/mov.c   (revision 19695)
+++ libavformat/mov.c   (working copy)
@@ -1262,6 +1262,10 @@
     if (!sc->sample_sizes)
         return AVERROR(ENOMEM);

+    if(entries >= UINT_MAX / field_size) {
+        av_freep(&sc->sample_sizes);
+        return -1;
+    }
     num_bytes = (entries*field_size+4)>>3;

     buf = av_malloc(num_bytes+FF_INPUT_BUFFER_PADDING_SIZE);



More information about the ffmpeg-devel mailing list