This patch checks that the memory allocated for stsc entries isn't larger
than the atom.
Without this, corrupt data can easily try to allocate all the memory,
causing a crash.
---
libavformat/mov.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/libavformat/mov.c b/libavformat/mov.c
index 7d1bd9950a..4fef73c8ed 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -2618,6 +2618,8 @@ static int mov_read_stsc(MOVContext *c, AVIOContext
*pb, MOVAtom atom)
avio_rb24(pb); /* flags */
entries = avio_rb32(pb);
+ if (((size_t)entries) * 12 + 4 > atom.size)
+ return AVERROR_INVALIDDATA;
av_log(c->fc, AV_LOG_TRACE, "track[%u].stsc.entries = %u\n",
c->fc->nb_streams - 1, entries);
--
2.15.0.448.gf294e3d99a-goog
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-devel
