[FFmpeg-cvslog] avformat/mov: Fix potential integer overflow in mov_read_keys

2016-09-28 Thread Sergey Volk 
ffmpeg | branch: release/3.0 | Sergey Volk  | Wed Sep  7 
14:05:35 2016 -0700| [9259b7f38e008720096532cd4e666a9889f3c578] | committer: 
Michael Niedermayer

avformat/mov: Fix potential integer overflow in mov_read_keys

Actual allocation size is computed as (count + 1)*sizeof(meta_keys), so
we need to check that (count + 1) won't cause overflow.

Signed-off-by: Michael Niedermayer 
(cherry picked from commit 347cb14b7cba7560e53f4434b419b9d8800253e7)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=9259b7f38e008720096532cd4e666a9889f3c578
---

 libavformat/mov.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavformat/mov.c b/libavformat/mov.c
index bcba9bb..6b90d08 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -3149,7 +3149,7 @@ static int mov_read_keys(MOVContext *c, AVIOContext *pb, 
MOVAtom atom)
 
 avio_skip(pb, 4);
 count = avio_rb32(pb);
-if (count > UINT_MAX / sizeof(*c->meta_keys)) {
+if (count > UINT_MAX / sizeof(*c->meta_keys) - 1) {
 av_log(c->fc, AV_LOG_ERROR,
"The 'keys' atom with the invalid key count: %d\n", count);
 return AVERROR_INVALIDDATA;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avformat/mov: Fix potential integer overflow in mov_read_keys

2016-09-28 Thread Sergey Volk 
ffmpeg | branch: release/3.1 | Sergey Volk  | Wed Sep  7 
14:05:35 2016 -0700| [7a3dc2f7b6c2fbe62aeed7839e736db395a6f76a] | committer: 
Michael Niedermayer

avformat/mov: Fix potential integer overflow in mov_read_keys

Actual allocation size is computed as (count + 1)*sizeof(meta_keys), so
we need to check that (count + 1) won't cause overflow.

Signed-off-by: Michael Niedermayer 
(cherry picked from commit 347cb14b7cba7560e53f4434b419b9d8800253e7)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=7a3dc2f7b6c2fbe62aeed7839e736db395a6f76a
---

 libavformat/mov.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavformat/mov.c b/libavformat/mov.c
index 7266fd0..dd746b4 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -3243,7 +3243,7 @@ static int mov_read_keys(MOVContext *c, AVIOContext *pb, 
MOVAtom atom)
 
 avio_skip(pb, 4);
 count = avio_rb32(pb);
-if (count > UINT_MAX / sizeof(*c->meta_keys)) {
+if (count > UINT_MAX / sizeof(*c->meta_keys) - 1) {
 av_log(c->fc, AV_LOG_ERROR,
"The 'keys' atom with the invalid key count: %d\n", count);
 return AVERROR_INVALIDDATA;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avformat/mov: Fix potential integer overflow in mov_read_keys

2016-09-08 Thread Sergey Volk 
ffmpeg | branch: master | Sergey Volk  | Wed Sep  7 
14:05:35 2016 -0700| [347cb14b7cba7560e53f4434b419b9d8800253e7] | committer: 
Michael Niedermayer

avformat/mov: Fix potential integer overflow in mov_read_keys

Actual allocation size is computed as (count + 1)*sizeof(meta_keys), so
we need to check that (count + 1) won't cause overflow.

Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=347cb14b7cba7560e53f4434b419b9d8800253e7
---

 libavformat/mov.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavformat/mov.c b/libavformat/mov.c
index f499906..a7595c5 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -3278,7 +3278,7 @@ static int mov_read_keys(MOVContext *c, AVIOContext *pb, 
MOVAtom atom)
 
 avio_skip(pb, 4);
 count = avio_rb32(pb);
-if (count > UINT_MAX / sizeof(*c->meta_keys)) {
+if (count > UINT_MAX / sizeof(*c->meta_keys) - 1) {
 av_log(c->fc, AV_LOG_ERROR,
"The 'keys' atom with the invalid key count: %d\n", count);
 return AVERROR_INVALIDDATA;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog