[FFmpeg-devel] Check size of STSC allocation

Fredrik Hubinette Wed, 15 Nov 2017 15:21:37 -0800

This patch checks that the memory allocated for stsc entries isn't larger
than the atom.
Without this, corrupt data can easily try to allocate all the memory,
causing a crash.

From e79de93ea8426985d63a2369e8274ceaf296ba2d Mon Sep 17 00:00:00 2001
From: Fredrik Hubinette <hu...@google.com>
Date: Wed, 15 Nov 2017 15:19:15 -0800
Subject: [PATCH] Check size of STSC allocation


---
 libavformat/mov.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/libavformat/mov.c b/libavformat/mov.c
index 7d1bd9950a..b44a777193 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -2618,6 +2618,8 @@ static int mov_read_stsc(MOVContext *c, AVIOContext *pb, MOVAtom atom)
     avio_rb24(pb); /* flags */
 
     entries = avio_rb32(pb);
+    if ((uint64_t)entries * 12 + 4 > atom.size)
+      return AVERROR_INVALIDDATA;
 
     av_log(c->fc, AV_LOG_TRACE, "track[%u].stsc.entries = %u\n", c->fc->nb_streams - 1, entries);
 
-- 
2.15.0.448.gf294e3d99a-goog

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-devel

[FFmpeg-devel] Check size of STSC allocation

Reply via email to