From: Michael Niedermayer <michaelni@gmx.at>
Date: Tue, 6 Jan 2015 03:29:10 +0000 (+0100)
Subject: avformat/mov: fix integer overflow in mov_read_udta_string()
X-Git-Tag: archive/raspbian/6%11.12-1_deb8u8+rpi1^2~21
X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=adbb26e308df82a1f4f679d799d65ec5e3b5f34f;p=libav.git

avformat/mov: fix integer overflow in mov_read_udta_string()

Found-by: Paul Mehta <paul@paulmehta.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

Gbp-Pq: Name CVE-2015-1207.patch
---

diff --git a/libavformat/mov.c b/libavformat/mov.c
index c37a66f..b51e41b 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -337,7 +337,7 @@ static int mov_read_udta_string(MOVContext *c, AVIOContext *pb, MOVAtom atom)
 
     if (!key)
         return 0;
-    if (atom.size < 0)
+    if (atom.size < 0 || str_size >= INT_MAX/2)
         return AVERROR_INVALIDDATA;
 
     str_size = FFMIN3(sizeof(str)-1, str_size, atom.size);