Browse code
avformat/mov: fix integer overflow of size
Fixes: case1_call_stack_overflow.mp4
Found-by: Michal Zalewski <lcamtuf@coredump.cx>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Michael Niedermayer authored on 2014/12/17 05:29:27Showing 1 changed files
| ... | ... |
@@ -1480,7 +1480,7 @@ static void mov_parse_stsd_audio(MOVContext *c, AVIOContext *pb, |
| 1480 | 1480 |
|
| 1481 | 1481 |
static void mov_parse_stsd_subtitle(MOVContext *c, AVIOContext *pb, |
| 1482 | 1482 |
AVStream *st, MOVStreamContext *sc, |
| 1483 |
- int size) |
|
| 1483 |
+ int64_t size) |
|
| 1484 | 1484 |
{
|
| 1485 | 1485 |
// ttxt stsd contains display flags, justification, background |
| 1486 | 1486 |
// color, fonts, and default styles, so fake an atom to read it |
| ... | ... |
@@ -1494,10 +1494,10 @@ static void mov_parse_stsd_subtitle(MOVContext *c, AVIOContext *pb, |
| 1494 | 1494 |
|
| 1495 | 1495 |
static int mov_parse_stsd_data(MOVContext *c, AVIOContext *pb, |
| 1496 | 1496 |
AVStream *st, MOVStreamContext *sc, |
| 1497 |
- int size) |
|
| 1497 |
+ int64_t size) |
|
| 1498 | 1498 |
{
|
| 1499 | 1499 |
if (st->codec->codec_tag == MKTAG('t','m','c','d')) {
|
| 1500 |
- if (ff_get_extradata(st->codec, pb, size) < 0) |
|
| 1500 |
+ if ((int)size != size || ff_get_extradata(st->codec, pb, size) < 0) |
|
| 1501 | 1501 |
return AVERROR(ENOMEM); |
| 1502 | 1502 |
if (size > 16) {
|
| 1503 | 1503 |
MOVStreamContext *tmcd_ctx = st->priv_data; |