diff mbox

[FFmpeg-devel] avformat/mov: Check STSC and remove invalid entries

Message ID 20180320010627.7766-1-michael@niedermayer.cc
State Accepted
Commit 9e67447a4ffacf28af8bace33faf3ea432ddc43e
Headers show

Commit Message

Michael Niedermayer March 20, 2018, 1:06 a.m. UTC 
Fixes assertion failure
Fixes: crbug 822547, crbug 822666 and crbug 823009

Affects: aark15sd_9A62E2FA.mp4

Found-by: ClusterFuzz
Reviewed-by: Matt Wolenetz <wolenetz@google.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/mov.c | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

Comments

Michael Niedermayer March 20, 2018, 9:33 p.m. UTC | #1 
On Tue, Mar 20, 2018 at 02:06:27AM +0100, Michael Niedermayer wrote:
> Fixes assertion failure
> Fixes: crbug 822547, crbug 822666 and crbug 823009
> 
> Affects: aark15sd_9A62E2FA.mp4
> 
> Found-by: ClusterFuzz
> Reviewed-by: Matt Wolenetz <wolenetz@google.com>
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>  libavformat/mov.c | 20 ++++++++++++++++++++
>  1 file changed, 20 insertions(+)

will apply

[...]
diff mbox

Patch

diff --git a/libavformat/mov.c b/libavformat/mov.c
index 232e59887e..075e833bad 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -2655,6 +2655,21 @@  static int mov_read_stsc(MOVContext *c, AVIOContext *pb, MOVAtom atom)
     }
 
     sc->stsc_count = i;
+    for (i = sc->stsc_count - 1; i < UINT_MAX; i--) {
+        if ((i+1 < sc->stsc_count && sc->stsc_data[i].first >= sc->stsc_data[i+1].first) ||
+            (i > 0 && sc->stsc_data[i].first <= sc->stsc_data[i-1].first) ||
+            sc->stsc_data[i].first < 1 ||
+            sc->stsc_data[i].count < 1 ||
+            sc->stsc_data[i].id < 1) {
+            av_log(c->fc, AV_LOG_WARNING, "STSC entry %d is invalid (first=%d count=%d id=%d)\n", i, sc->stsc_data[i].first, sc->stsc_data[i].count, sc->stsc_data[i].id);
+            if (i+1 >= sc->stsc_count || sc->stsc_data[i+1].first < 2)
+                return AVERROR_INVALIDDATA;
+            // We replace this entry by the next valid
+            sc->stsc_data[i].first = sc->stsc_data[i+1].first - 1;
+            sc->stsc_data[i].count = sc->stsc_data[i+1].count;
+            sc->stsc_data[i].id    = sc->stsc_data[i+1].id;
+        }
+    }
 
     if (pb->eof_reached) {
         av_log(c->fc, AV_LOG_WARNING, "reached eof, corrupted STSC atom\n");
@@ -4144,6 +4159,11 @@  static int mov_read_trak(MOVContext *c, AVIOContext *pb, MOVAtom atom)
                st->index);
         return 0;
     }
+    if (sc->stsc_count && sc->stsc_data[ sc->stsc_count - 1 ].first > sc->chunk_count) {
+        av_log(c->fc, AV_LOG_ERROR, "stream %d, contradictionary STSC and STCO\n",
+               st->index);
+        return AVERROR_INVALIDDATA;
+    }
 
     fix_timescale(c, sc);