diff options
| author | Jacob Trimble <modmaker-at-google.com@ffmpeg.org> | 2018-05-31 10:41:29 -0700 |
|---|---|---|
| committer | Michael Niedermayer <michael@niedermayer.cc> | 2018-06-02 01:55:12 +0200 |
| commit | 9827bb88e7dc55d5aaeddfaa3d1ba80a7489566c (patch) | |
| tree | 67bf1431a64c6f82922efc10b6054c422a8aeeb4 /libavformat/mov.c | |
| parent | 841c1efc78ace70497187d984adf31c7cc2cd7b6 (diff) | |
libavformat/mov: Fix heap buffer overflow.
Found by Chrome's ClusterFuzz: https://crbug.com/847060
Signed-off-by: Jacob Trimble <modmaker@google.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Diffstat (limited to 'libavformat/mov.c')
| -rw-r--r-- | libavformat/mov.c | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/libavformat/mov.c b/libavformat/mov.c index f2a540ad50..08cc382a68 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -5895,7 +5895,7 @@ static int mov_read_senc(MOVContext *c, AVIOContext *pb, MOVAtom atom) return AVERROR(ENOMEM); for (i = 0; i < sample_count; i++) { - unsigned int min_samples = FFMIN(FFMAX(i, 1024 * 1024), sample_count); + unsigned int min_samples = FFMIN(FFMAX(i + 1, 1024 * 1024), sample_count); encrypted_samples = av_fast_realloc(encryption_index->encrypted_samples, &alloc_size, min_samples * sizeof(*encrypted_samples)); if (encrypted_samples) { @@ -5949,7 +5949,7 @@ static int mov_parse_auxiliary_info(MOVContext *c, MOVStreamContext *sc, AVIOCon } for (i = 0; i < sample_count && !pb->eof_reached; i++) { - unsigned int min_samples = FFMIN(FFMAX(i, 1024 * 1024), sample_count); + unsigned int min_samples = FFMIN(FFMAX(i + 1, 1024 * 1024), sample_count); encrypted_samples = av_fast_realloc(encryption_index->encrypted_samples, &alloc_size, min_samples * sizeof(*encrypted_samples)); if (!encrypted_samples) { @@ -6110,7 +6110,7 @@ static int mov_read_saio(MOVContext *c, AVIOContext *pb, MOVAtom atom) return AVERROR(ENOMEM); for (i = 0; i < entry_count && !pb->eof_reached; i++) { - unsigned int min_offsets = FFMIN(FFMAX(i, 1024), entry_count); + unsigned int min_offsets = FFMIN(FFMAX(i + 1, 1024), entry_count); auxiliary_offsets = av_fast_realloc( encryption_index->auxiliary_offsets, &alloc_size, min_offsets * sizeof(*auxiliary_offsets)); |