ffmpeg | branch: release/4.0 | Dale Curtis <dalecur...@chromium.org> | Thu Aug 30 15:18:25 2018 -0700| [968ffb93af0449deea8617319aa0b9b5083da996] | committer: Michael Niedermayer
avformat/mov: Error on too large stsd entry counts. Entries are always at least 8 bytes per the parsing code, so if we see an impossible entry count avoid massive allocations. This is similar to an existing check in mov_read_stsc(). Since ff_mov_read_stsd_entries() does eof checks, an alternative approach could be to clamp the entry count to atom.size / 8. Signed-off-by: Dale Curtis <dalecur...@chromium.org> Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc> (cherry picked from commit 320b631a99a9f759fd1d5460fd4e285d184b8186) Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc> > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=968ffb93af0449deea8617319aa0b9b5083da996 --- libavformat/mov.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index ff95154e60..bd9b302e74 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -2554,7 +2554,8 @@ static int mov_read_stsd(MOVContext *c, AVIOContext *pb, MOVAtom atom) avio_rb24(pb); /* flags */ entries = avio_rb32(pb); - if (entries <= 0) { + /* Each entry contains a size (4 bytes) and format (4 bytes). */ + if (entries <= 0 || entries > atom.size / 8) { av_log(c->fc, AV_LOG_ERROR, "invalid STSD entries %d\n", entries); return AVERROR_INVALIDDATA; } _______________________________________________ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog