diff mbox

[FFmpeg-devel] lavf/mov: don't read outside frag_index bounds

Message ID 20171117162102.19336-1-jstebbins@jetheaddev.com
State Accepted
Commit 20c38f2e7085ce02c19df965d02ecdf5628f11b8
Headers show

Commit Message

John Stebbins Nov. 17, 2017, 4:21 p.m. UTC 
Potentially fixes:
https://bugs.chromium.org/p/chromium/issues/detail?id=786269#c1

In theory, the crash can be triggered by an invalid stream that has
either tfdt or trun outside of the moof
---
 libavformat/mov.c | 4 ++++
 1 file changed, 4 insertions(+)

Comments

Dale Curtis Nov. 17, 2017, 8:23 p.m. UTC | #1 
lgtm, fixes the crash and doesn't regress any of our tests.

- dale

On Fri, Nov 17, 2017 at 8:21 AM, John Stebbins <jstebbins@jetheaddev.com>
wrote:

> Potentially fixes:
> https://bugs.chromium.org/p/chromium/issues/detail?id=786269#c1
>
> In theory, the crash can be triggered by an invalid stream that has
> either tfdt or trun outside of the moof
> ---
>  libavformat/mov.c | 4 ++++
>  1 file changed, 4 insertions(+)
>
> diff --git a/libavformat/mov.c b/libavformat/mov.c
> index d49d820d2b..0fbc7f54a2 100644
> --- a/libavformat/mov.c
> +++ b/libavformat/mov.c
> @@ -1188,6 +1188,10 @@ static void set_frag_stream(MOVFragmentIndex
> *frag_index, int id)
>  static MOVFragmentStreamInfo * get_current_frag_stream_info(
>      MOVFragmentIndex *frag_index)
>  {
> +    if (frag_index->current < 0 ||
> +        frag_index->current >= frag_index->nb_items)
> +        return NULL;
> +
>      MOVFragmentIndexItem * item = &frag_index->item[frag_index->current];
>      if (item->current >= 0 && item->current < item->nb_stream_info)
>          return &item->stream_info[item->current];
> --
> 2.13.6
>
> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel@ffmpeg.org
> http://ffmpeg.org/mailman/listinfo/ffmpeg-devel
>
Michael Niedermayer Nov. 18, 2017, 2:15 a.m. UTC | #2 
On Fri, Nov 17, 2017 at 12:23:11PM -0800, Dale Curtis wrote:
> lgtm, fixes the crash and doesn't regress any of our tests.

will apply unless it breaks something in testing

thanks

[...]
diff mbox

Patch

diff --git a/libavformat/mov.c b/libavformat/mov.c
index d49d820d2b..0fbc7f54a2 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -1188,6 +1188,10 @@  static void set_frag_stream(MOVFragmentIndex *frag_index, int id)
 static MOVFragmentStreamInfo * get_current_frag_stream_info(
     MOVFragmentIndex *frag_index)
 {
+    if (frag_index->current < 0 ||
+        frag_index->current >= frag_index->nb_items)
+        return NULL;
+
     MOVFragmentIndexItem * item = &frag_index->item[frag_index->current];
     if (item->current >= 0 && item->current < item->nb_stream_info)
         return &item->stream_info[item->current];