avformat/mov: fix integer overflow in mov_read_udta_string()

author Michael Niedermayer <michaelni@gmx.at>

Tue, 6 Jan 2015 03:29:10 +0000 (04:29 +0100)

committer Mike Gabriel <sunweaver@debian.org>

Sat, 31 Aug 2019 15:36:55 +0000 (16:36 +0100)
author Michael Niedermayer <michaelni@gmx.at>
Tue, 6 Jan 2015 03:29:10 +0000 (04:29 +0100)
committer Mike Gabriel <sunweaver@debian.org>
Sat, 31 Aug 2019 15:36:55 +0000 (16:36 +0100)
diff --git a/libavformat/mov.c b/libavformat/mov.c

index c37a66f061b335f4835bb4c8538e70f29673af77..b51e41b690cf8a09b2ea7717bc52bfeb4b4b3c36 100644 (file)
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -337,7 +337,7 @@ static int mov_read_udta_string(MOVContext *c, AVIOContext *pb, MOVAtom atom)
  
      if (!key)
          return 0;
-    if (atom.size < 0)
+    if (atom.size < 0 || str_size >= INT_MAX/2)
          return AVERROR_INVALIDDATA;
  
      str_size = FFMIN3(sizeof(str)-1, str_size, atom.size);
author	Michael Niedermayer <michaelni@gmx.at>
	Tue, 6 Jan 2015 03:29:10 +0000 (04:29 +0100)
committer	Mike Gabriel <sunweaver@debian.org>
	Sat, 31 Aug 2019 15:36:55 +0000 (16:36 +0100)