diff mbox

[FFmpeg-devel] Check size of STSC allocation

Message ID CAEVbG5rc0DkoSrvK9eGe4xhzV3Vv3q9et+8hz4AyOjsqst6e0w@mail.gmail.com
State Superseded
Headers show

Commit Message

Fredrik Hubinette Nov. 15, 2017, 11:21 p.m. UTC 
This patch checks that the memory allocated for stsc entries isn't larger
than the atom.
Without this, corrupt data can easily try to allocate all the memory,
causing a crash.

Comments

Carl Eugen Hoyos Nov. 15, 2017, 11:40 p.m. UTC | #1 
2017-11-16 0:21 GMT+01:00 Fredrik Hubinette <hubbe-at-google.com@ffmpeg.org>:
> This patch checks that the memory allocated for stsc entries isn't larger
> than the atom.

Consider fixing the indentation of the second added line,
making the committer's life easier.

Thank you, Carl Eugen
diff mbox

Patch

From e79de93ea8426985d63a2369e8274ceaf296ba2d Mon Sep 17 00:00:00 2001
From: Fredrik Hubinette <hubbe@google.com>
Date: Wed, 15 Nov 2017 15:19:15 -0800
Subject: [PATCH] Check size of STSC allocation

---
 libavformat/mov.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/libavformat/mov.c b/libavformat/mov.c
index 7d1bd9950a..b44a777193 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -2618,6 +2618,8 @@  static int mov_read_stsc(MOVContext *c, AVIOContext *pb, MOVAtom atom)
     avio_rb24(pb); /* flags */
 
     entries = avio_rb32(pb);
+    if ((uint64_t)entries * 12 + 4 > atom.size)
+      return AVERROR_INVALIDDATA;
 
     av_log(c->fc, AV_LOG_TRACE, "track[%u].stsc.entries = %u\n", c->fc->nb_streams - 1, entries);
 
-- 
2.15.0.448.gf294e3d99a-goog