ffmpeg | branch: release/2.5 | Michael Niedermayer <michae...@gmx.at> | Tue Jan 6 04:29:10 2015 +0100| [25312a427bda360a98c6a38be7af9e5f686c9902] | committer: Michael Niedermayer
avformat/mov: fix integer overflow in mov_read_udta_string() Found-by: Paul Mehta <p...@paulmehta.com> Signed-off-by: Michael Niedermayer <michae...@gmx.at> (cherry picked from commit 3859868c75313e318ebc5d0d33baada62d45dd75) Signed-off-by: Michael Niedermayer <michae...@gmx.at> > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=25312a427bda360a98c6a38be7af9e5f686c9902 --- libavformat/mov.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index 3a93897..11fdcf0 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -355,7 +355,7 @@ static int mov_read_udta_string(MOVContext *c, AVIOContext *pb, MOVAtom atom) if (!key) return 0; - if (atom.size < 0) + if (atom.size < 0 || str_size >= INT_MAX/2) return AVERROR_INVALIDDATA; str_size_alloc = str_size << 1; // worst-case requirement for output string in case of utf8 coded input _______________________________________________ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
