ffmpeg | branch: master | Dale Curtis <dalecur...@chromium.org> | Fri Feb 2 20:49:44 2024 +0000| [6ef32ea5748e9dcc2c8d1c076607b8d15650a5fe] | committer: Michael Niedermayer
Avoid OOM for invalid STCO / CO64 constructions. The `entries` value is read directly from the stream and used to allocate memory. This change clamps `entries` to however many are possible in the remaining atom or file size (whichever is smallest). Fixes https://crbug.com/1429357 Signed-off-by: Dale Curtis <dalecur...@chromium.org> Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc> > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=6ef32ea5748e9dcc2c8d1c076607b8d15650a5fe --- libavformat/mov.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index 3a733aae9c..1a1b104615 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -2362,7 +2362,13 @@ static int mov_read_stco(MOVContext *c, AVIOContext *pb, MOVAtom atom) avio_r8(pb); /* version */ avio_rb24(pb); /* flags */ + // Clamp allocation size for `chunk_offsets` -- don't throw an error for an + // invalid count since the EOF path doesn't throw either. entries = avio_rb32(pb); + entries = + FFMIN(entries, + FFMAX(0, (atom.size - 8) / + (atom.type == MKTAG('s', 't', 'c', 'o') ? 4 : 8))); if (!entries) return 0; @@ -2371,6 +2377,7 @@ static int mov_read_stco(MOVContext *c, AVIOContext *pb, MOVAtom atom) av_log(c->fc, AV_LOG_WARNING, "Ignoring duplicated STCO atom\n"); return 0; } + av_free(sc->chunk_offsets); sc->chunk_count = 0; sc->chunk_offsets = av_malloc_array(entries, sizeof(*sc->chunk_offsets)); _______________________________________________ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog To unsubscribe, visit link above, or email ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
