On 15.12.2016 00:34, Matthew Wolenetz wrote: > > From fd878457cd55690d4a27d74411b68a30c9fb2313 Mon Sep 17 00:00:00 2001 > From: Matt Wolenetz <wolen...@chromium.org> > Date: Fri, 2 Dec 2016 18:10:39 -0800 > Subject: [PATCH] lavf/mov.c: Avoid heap allocation wrap in mov_read_hdlr > > Core of patch is from p...@paulmehta.com > Reference https://crbug.com/643950 > --- > libavformat/mov.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/libavformat/mov.c b/libavformat/mov.c > index 2a69890..7254505 100644 > --- a/libavformat/mov.c > +++ b/libavformat/mov.c > @@ -739,6 +739,8 @@ static int mov_read_hdlr(MOVContext *c, AVIOContext *pb, > MOVAtom atom) > > title_size = atom.size - 24; > if (title_size > 0) { > + if (title_size >= UINT_MAX)
I think this should use SIZE_MAX. > + return AVERROR_INVALIDDATA; > title_str = av_malloc(title_size + 1); /* Add null terminator */ > if (!title_str) > return AVERROR(ENOMEM); Best regards, Andreas _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-devel