avformat/mov: Fix potential integer overflow in mov_read_keys

Actual allocation size is computed as (count + 1)*sizeof(meta_keys), so
we need to check that (count + 1) won't cause overflow.

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

diff --git a/libavformat/mov.c b/libavformat/mov.c
index f4999068519f1f06f6b5d84ca007148e74e5a82e..a7595c535f8a4d68383413f9e0d7d756e7688d21 100644 (file)
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -3278,7 +3278,7 @@ static int mov_read_keys(MOVContext *c, AVIOContext *pb, MOVAtom atom)
 
     avio_skip(pb, 4);
     count = avio_rb32(pb);
-    if (count > UINT_MAX / sizeof(*c->meta_keys)) {
+    if (count > UINT_MAX / sizeof(*c->meta_keys) - 1) {
         av_log(c->fc, AV_LOG_ERROR,
                "The 'keys' atom with the invalid key count: %d\n", count);
         return AVERROR_INVALIDDATA;