[FFmpeg-cvslog] avformat/mov: fix integer overflow in mov_read_udta_string()
ffmpeg | branch: release/1.1 | Michael Niedermayer | Tue Jan 6 04:29:10 2015 +0100| [e2e66f2f998242c7a9342df6d68f9a98fda774c9] | committer: Michael Niedermayer avformat/mov: fix integer overflow in mov_read_udta_string() Found-by: Paul Mehta Signed-off-by: Michael Niedermayer (cherry picked from commit 3859868c75313e318ebc5d0d33baada62d45dd75) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=e2e66f2f998242c7a9342df6d68f9a98fda774c9 --- libavformat/mov.c |2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index dd5352e..df3dc39 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -388,7 +388,7 @@ static int mov_read_udta_string(MOVContext *c, AVIOContext *pb, MOVAtom atom) if (!key) return 0; -if (atom.size < 0) +if (atom.size < 0 || str_size >= INT_MAX/2) return AVERROR_INVALIDDATA; str_size = FFMIN3(sizeof(str)-1, str_size, atom.size); ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avformat/mov: fix integer overflow in mov_read_udta_string()
ffmpeg | branch: release/0.10 | Michael Niedermayer | Tue Jan 6 04:29:10 2015 +0100| [766c1cbeb4a10589f9a31370dcc38cf788b92e8b] | committer: Michael Niedermayer avformat/mov: fix integer overflow in mov_read_udta_string() Found-by: Paul Mehta Signed-off-by: Michael Niedermayer (cherry picked from commit 3859868c75313e318ebc5d0d33baada62d45dd75) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=766c1cbeb4a10589f9a31370dcc38cf788b92e8b --- libavformat/mov.c |2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index 5fbd621..3fcfa79 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -245,7 +245,7 @@ static int mov_read_udta_string(MOVContext *c, AVIOContext *pb, MOVAtom atom) if (!key) return 0; -if (atom.size < 0) +if (atom.size < 0 || str_size >= INT_MAX/2) return AVERROR_INVALIDDATA; str_size = FFMIN3(sizeof(str)-1, str_size, atom.size); ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avformat/mov: fix integer overflow in mov_read_udta_string()
ffmpeg | branch: release/1.2 | Michael Niedermayer | Tue Jan 6 04:29:10 2015 +0100| [b6351f9978a4188dfc5213a863b8c08308f6fec8] | committer: Michael Niedermayer avformat/mov: fix integer overflow in mov_read_udta_string() Found-by: Paul Mehta Signed-off-by: Michael Niedermayer (cherry picked from commit 3859868c75313e318ebc5d0d33baada62d45dd75) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=b6351f9978a4188dfc5213a863b8c08308f6fec8 --- libavformat/mov.c |2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index 03a36a8..b6449f3 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -388,7 +388,7 @@ static int mov_read_udta_string(MOVContext *c, AVIOContext *pb, MOVAtom atom) if (!key) return 0; -if (atom.size < 0) +if (atom.size < 0 || str_size >= INT_MAX/2) return AVERROR_INVALIDDATA; str_size = FFMIN3(sizeof(str)-1, str_size, atom.size); ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avformat/mov: fix integer overflow in mov_read_udta_string()
ffmpeg | branch: release/2.2 | Michael Niedermayer | Tue Jan 6 04:29:10 2015 +0100| [20a03d5c93237341e15e5279fa9190a2f79bc75f] | committer: Michael Niedermayer avformat/mov: fix integer overflow in mov_read_udta_string() Found-by: Paul Mehta Signed-off-by: Michael Niedermayer (cherry picked from commit 3859868c75313e318ebc5d0d33baada62d45dd75) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=20a03d5c93237341e15e5279fa9190a2f79bc75f --- libavformat/mov.c |2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index 0d4017b..027becf 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -386,7 +386,7 @@ static int mov_read_udta_string(MOVContext *c, AVIOContext *pb, MOVAtom atom) if (!key) return 0; -if (atom.size < 0) +if (atom.size < 0 || str_size >= INT_MAX/2) return AVERROR_INVALIDDATA; str_size = FFMIN3(sizeof(str)-1, str_size, atom.size); ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avformat/mov: fix integer overflow in mov_read_udta_string()
ffmpeg | branch: release/2.4 | Michael Niedermayer | Tue Jan 6 04:29:10 2015 +0100| [0787163cf369f114862bc7402b8410ff32bdef37] | committer: Michael Niedermayer avformat/mov: fix integer overflow in mov_read_udta_string() Found-by: Paul Mehta Signed-off-by: Michael Niedermayer (cherry picked from commit 3859868c75313e318ebc5d0d33baada62d45dd75) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=0787163cf369f114862bc7402b8410ff32bdef37 --- libavformat/mov.c |2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index f78680a..98eb5cc 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -358,7 +358,7 @@ static int mov_read_udta_string(MOVContext *c, AVIOContext *pb, MOVAtom atom) if (!key) return 0; -if (atom.size < 0) +if (atom.size < 0 || str_size >= INT_MAX/2) return AVERROR_INVALIDDATA; str_size = FFMIN3(sizeof(str)-1, str_size, atom.size); ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avformat/mov: fix integer overflow in mov_read_udta_string()
ffmpeg | branch: release/2.5 | Michael Niedermayer | Tue Jan 6 04:29:10 2015 +0100| [25312a427bda360a98c6a38be7af9e5f686c9902] | committer: Michael Niedermayer avformat/mov: fix integer overflow in mov_read_udta_string() Found-by: Paul Mehta Signed-off-by: Michael Niedermayer (cherry picked from commit 3859868c75313e318ebc5d0d33baada62d45dd75) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=25312a427bda360a98c6a38be7af9e5f686c9902 --- libavformat/mov.c |2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index 3a93897..11fdcf0 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -355,7 +355,7 @@ static int mov_read_udta_string(MOVContext *c, AVIOContext *pb, MOVAtom atom) if (!key) return 0; -if (atom.size < 0) +if (atom.size < 0 || str_size >= INT_MAX/2) return AVERROR_INVALIDDATA; str_size_alloc = str_size << 1; // worst-case requirement for output string in case of utf8 coded input ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avformat/mov: fix integer overflow in mov_read_udta_string()
ffmpeg | branch: release/2.3 | Michael Niedermayer | Tue Jan 6 04:29:10 2015 +0100| [ffe915b6f596de5fc54eabf631b7b9b1a19aaa63] | committer: Michael Niedermayer avformat/mov: fix integer overflow in mov_read_udta_string() Found-by: Paul Mehta Signed-off-by: Michael Niedermayer (cherry picked from commit 3859868c75313e318ebc5d0d33baada62d45dd75) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=ffe915b6f596de5fc54eabf631b7b9b1a19aaa63 --- libavformat/mov.c |2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index 3711d29..d7e5669 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -359,7 +359,7 @@ static int mov_read_udta_string(MOVContext *c, AVIOContext *pb, MOVAtom atom) if (!key) return 0; -if (atom.size < 0) +if (atom.size < 0 || str_size >= INT_MAX/2) return AVERROR_INVALIDDATA; str_size = FFMIN3(sizeof(str)-1, str_size, atom.size); ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avformat/mov: fix integer overflow in mov_read_udta_string()
ffmpeg | branch: master | Michael Niedermayer | Tue Jan 6 04:29:10 2015 +0100| [3859868c75313e318ebc5d0d33baada62d45dd75] | committer: Michael Niedermayer avformat/mov: fix integer overflow in mov_read_udta_string() Found-by: Paul Mehta Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=3859868c75313e318ebc5d0d33baada62d45dd75 --- libavformat/mov.c |2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index ba79378..f2a66b8 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -375,7 +375,7 @@ static int mov_read_udta_string(MOVContext *c, AVIOContext *pb, MOVAtom atom) if (!key) return 0; -if (atom.size < 0) +if (atom.size < 0 || str_size >= INT_MAX/2) return AVERROR_INVALIDDATA; // worst-case requirement for output string in case of utf8 coded input ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog