Skip to content

F
ffmpeg.wasm-core
Commit 9827bb88 authored by Jacob Trimble's avatar Jacob Trimble Committed by Michael Niedermayer
Browse files
Options

libavformat/mov: Fix heap buffer overflow. 

Found by Chrome's ClusterFuzz: https://crbug.com/847060Signed-off-by: 's avatarJacob Trimble <modmaker@google.com>
Signed-off-by: 's avatarMichael Niedermayer <michael@niedermayer.cc>
parent 841c1efc
Hide whitespace changes
Inline Side-by-side
Showing with 3 additions and 3 deletions
libavformat/mov.c
View file @ 9827bb88
...@@ -5895,7 +5895,7 @@ static int mov_read_senc(MOVContext *c, AVIOContext *pb, MOVAtom atom) ...@@ -5895,7 +5895,7 @@ static int mov_read_senc(MOVContext *c, AVIOContext *pb, MOVAtom atom)
return AVERROR(ENOMEM); return AVERROR(ENOMEM);
for (i = 0; i < sample_count; i++) { for (i = 0; i < sample_count; i++) {
unsigned int min_samples = FFMIN(FFMAX(i, 1024 * 1024), sample_count); unsigned int min_samples = FFMIN(FFMAX(i + 1, 1024 * 1024), sample_count);
encrypted_samples = av_fast_realloc(encryption_index->encrypted_samples, &alloc_size, encrypted_samples = av_fast_realloc(encryption_index->encrypted_samples, &alloc_size,
min_samples * sizeof(*encrypted_samples)); min_samples * sizeof(*encrypted_samples));
if (encrypted_samples) { if (encrypted_samples) {
...@@ -5949,7 +5949,7 @@ static int mov_parse_auxiliary_info(MOVContext *c, MOVStreamContext *sc, AVIOCon ...@@ -5949,7 +5949,7 @@ static int mov_parse_auxiliary_info(MOVContext *c, MOVStreamContext *sc, AVIOCon
} }
for (i = 0; i < sample_count && !pb->eof_reached; i++) { for (i = 0; i < sample_count && !pb->eof_reached; i++) {
unsigned int min_samples = FFMIN(FFMAX(i, 1024 * 1024), sample_count); unsigned int min_samples = FFMIN(FFMAX(i + 1, 1024 * 1024), sample_count);
encrypted_samples = av_fast_realloc(encryption_index->encrypted_samples, &alloc_size, encrypted_samples = av_fast_realloc(encryption_index->encrypted_samples, &alloc_size,
min_samples * sizeof(*encrypted_samples)); min_samples * sizeof(*encrypted_samples));
if (!encrypted_samples) { if (!encrypted_samples) {
...@@ -6110,7 +6110,7 @@ static int mov_read_saio(MOVContext *c, AVIOContext *pb, MOVAtom atom) ...@@ -6110,7 +6110,7 @@ static int mov_read_saio(MOVContext *c, AVIOContext *pb, MOVAtom atom)
return AVERROR(ENOMEM); return AVERROR(ENOMEM);
for (i = 0; i < entry_count && !pb->eof_reached; i++) { for (i = 0; i < entry_count && !pb->eof_reached; i++) {
unsigned int min_offsets = FFMIN(FFMAX(i, 1024), entry_count); unsigned int min_offsets = FFMIN(FFMAX(i + 1, 1024), entry_count);
auxiliary_offsets = av_fast_realloc( auxiliary_offsets = av_fast_realloc(
encryption_index->auxiliary_offsets, &alloc_size, encryption_index->auxiliary_offsets, &alloc_size,
min_offsets * sizeof(*auxiliary_offsets)); min_offsets * sizeof(*auxiliary_offsets));
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment