ffmpeg | branch: release/3.3 | Dale Curtis <dalecur...@chromium.org> | Thu Aug 30 15:18:25 2018 -0700| [1acec9bbf55b9d53c20e8d2f147458262abdc28f] | committer: Michael Niedermayer
avformat/mov: Error on too large stsd entry counts. Entries are always at least 8 bytes per the parsing code, so if we see an impossible entry count avoid massive allocations. This is similar to an existing check in mov_read_stsc(). Since ff_mov_read_stsd_entries() does eof checks, an alternative approach could be to clamp the entry count to atom.size / 8. Signed-off-by: Dale Curtis <dalecur...@chromium.org> Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc> (cherry picked from commit 320b631a99a9f759fd1d5460fd4e285d184b8186) Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc> > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=1acec9bbf55b9d53c20e8d2f147458262abdc28f --- libavformat/mov.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index f6db8a47b7..f4687db54e 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -2356,7 +2356,8 @@ static int mov_read_stsd(MOVContext *c, AVIOContext *pb, MOVAtom atom) avio_rb24(pb); /* flags */ entries = avio_rb32(pb); - if (entries <= 0) { + /* Each entry contains a size (4 bytes) and format (4 bytes). */ + if (entries <= 0 || entries > atom.size / 8) { av_log(c->fc, AV_LOG_ERROR, "invalid STSD entries %d\n", entries); return AVERROR_INVALIDDATA; } _______________________________________________ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
