From 9827bb88e7dc55d5aaeddfaa3d1ba80a7489566c Mon Sep 17 00:00:00 2001 From: Jacob Trimble Date: Thu, 31 May 2018 10:41:29 -0700 Subject: libavformat/mov: Fix heap buffer overflow. Found by Chrome's ClusterFuzz: https://crbug.com/847060 Signed-off-by: Jacob Trimble Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'libavformat/mov.c') diff --git a/libavformat/mov.c b/libavformat/mov.c index f2a540ad50..08cc382a68 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -5895,7 +5895,7 @@ static int mov_read_senc(MOVContext *c, AVIOContext *pb, MOVAtom atom) return AVERROR(ENOMEM); for (i = 0; i < sample_count; i++) { - unsigned int min_samples = FFMIN(FFMAX(i, 1024 * 1024), sample_count); + unsigned int min_samples = FFMIN(FFMAX(i + 1, 1024 * 1024), sample_count); encrypted_samples = av_fast_realloc(encryption_index->encrypted_samples, &alloc_size, min_samples * sizeof(*encrypted_samples)); if (encrypted_samples) { @@ -5949,7 +5949,7 @@ static int mov_parse_auxiliary_info(MOVContext *c, MOVStreamContext *sc, AVIOCon } for (i = 0; i < sample_count && !pb->eof_reached; i++) { - unsigned int min_samples = FFMIN(FFMAX(i, 1024 * 1024), sample_count); + unsigned int min_samples = FFMIN(FFMAX(i + 1, 1024 * 1024), sample_count); encrypted_samples = av_fast_realloc(encryption_index->encrypted_samples, &alloc_size, min_samples * sizeof(*encrypted_samples)); if (!encrypted_samples) { @@ -6110,7 +6110,7 @@ static int mov_read_saio(MOVContext *c, AVIOContext *pb, MOVAtom atom) return AVERROR(ENOMEM); for (i = 0; i < entry_count && !pb->eof_reached; i++) { - unsigned int min_offsets = FFMIN(FFMAX(i, 1024), entry_count); + unsigned int min_offsets = FFMIN(FFMAX(i + 1, 1024), entry_count); auxiliary_offsets = av_fast_realloc( encryption_index->auxiliary_offsets, &alloc_size, min_offsets * sizeof(*auxiliary_offsets)); -- cgit v1.2.3