[FFmpeg-devel] [PATCH] lavf/mov.c: Avoid heap allocation wrap in mov_read_uuid
Matthew Wolenetz
wolenetz at chromium.org
Wed Feb 8 02:09:15 EET 2017
Updated to SIZE_MAX. Thank you for your comments.
On Wed, Dec 14, 2016 at 5:39 PM, Andreas Cadhalpun <
andreas.cadhalpun at googlemail.com> wrote:
> On 15.12.2016 00:36, Matthew Wolenetz wrote:
> > From 9d45f272a682b0ea831c20e36f696e15cc0c55fe Mon Sep 17 00:00:00 2001
> > From: Matt Wolenetz <wolenetz at chromium.org>
> > Date: Tue, 6 Dec 2016 12:33:08 -0800
> > Subject: [PATCH] lavf/mov.c: Avoid heap allocation wrap in mov_read_uuid
> >
> > Core of patch is from paul at paulmehta.com
> > Reference https://crbug.com/643951
> > ---
> > libavformat/mov.c | 2 ++
> > 1 file changed, 2 insertions(+)
> >
> > diff --git a/libavformat/mov.c b/libavformat/mov.c
> > index 7254505..e506d20 100644
> > --- a/libavformat/mov.c
> > +++ b/libavformat/mov.c
> > @@ -4393,6 +4393,8 @@ static int mov_read_uuid(MOVContext *c,
> AVIOContext *pb, MOVAtom atom)
> > } else if (!memcmp(uuid, uuid_xmp, sizeof(uuid))) {
> > uint8_t *buffer;
> > size_t len = atom.size - sizeof(uuid);
> > + if (len >= UINT_MAX)
>
> This should also use SIZE_MAX.
>
> > + return AVERROR_INVALIDDATA;
> >
> > buffer = av_mallocz(len + 1);
> > if (!buffer) {
>
> Best regards,
> Andreas
> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel at ffmpeg.org
> http://ffmpeg.org/mailman/listinfo/ffmpeg-devel
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 643951-lavf-mov.c-Avoid-heap-allocation-wrap-in-mov_read_uu.patch
Type: text/x-patch
Size: 974 bytes
Desc: not available
URL: <http://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20170207/ce1b3eb9/attachment.bin>
More information about the ffmpeg-devel
mailing list