From patchwork Thu Dec 23 07:19:13 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyan Doshi X-Patchwork-Id: 32850 Delivered-To: ffmpegpatchwork2@gmail.com Received: by 2002:a6b:cd86:0:0:0:0:0 with SMTP id d128csp7041829iog; Wed, 22 Dec 2021 23:20:05 -0800 (PST) X-Google-Smtp-Source: ABdhPJyRRy0UpPno9YJrsL62BmVTqC0kKaBpRVpksX/gmKdSR93BHC27NvezQe69t7iG4wJn1+7N X-Received: by 2002:a17:906:649c:: with SMTP id e28mr961175ejm.60.1640244005215; Wed, 22 Dec 2021 23:20:05 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1640244005; cv=none; d=google.com; s=arc-20160816; b=sAeZz1/NeGpUnaFkbdAD8GjkxDHhacSAuOUFpofY1Ux/Ex8mLW6Nfdzg1tIonCd9kR 0fweJBAWeF0TeUhwwNe8xbnEXDHXVzyivZwWY9oR8xmsNYu0rLdPt9P2v4MTN1zaO78q sQYoqran07W6YWQU/CFJ4ts6BbqsQ09Oy7j9seSUSRJ1dG+n87h/knN+U0reNiONPoik lMvDPzsmzXQhA1uxznydf0Zig1myJHZ5URjFYMiZNDJpIDOxTH33ilFkXSjNR+jUu5nY 8ZDlx2M0fazY9jHxJhttVkjOxHIN0+HKDMsDDyNG08h3nTcOYLxH1yb2bWgASnTbfae7 Txwg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:content-transfer-encoding:reply-to:list-subscribe :list-help:list-post:list-archive:list-unsubscribe:list-id :precedence:subject:mime-version:references:in-reply-to:message-id :date:to:from:delivered-to; bh=OPg3c9duh0dRRZ9e43AW4NCyTdWVRxMXz1Hx/bJR+54=; b=g5Y9ofhWO0i0yhUJVCN3BAI5Ayhx3ynuyNrF6R82bebOFP3BiDBNIyvT/8itfgn54V BfRCqo1T3dTgc+KiJdV9hiNHO/JdNvGXGIej80wOubU7rGV3uGZ5waDsMoQCpzvJojGI BKb2bta8FqFvsyY0P76UzZoKDmh5s+2n/xSBIW9smagclWqdFgh2u83HVN0D5327Lzmj eFunk08wPO8xXw19WHLq2NhTnxa6NIVvqCzQZb5CSJG7VKVh2SrhELsGNzISUSxiIwq6 uNT3ATYIQEl98DfZ0FpKPEDy5YmJkcf1PlWHofyMaiGIQKWimLSXNL7MvSmaztuvrcvT K9fA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id mp30si1885711ejc.461.2021.12.22.23.20.04; Wed, 22 Dec 2021 23:20:05 -0800 (PST) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 2139468B11A; Thu, 23 Dec 2021 09:19:53 +0200 (EET) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from mout-p-201.mailbox.org (mout-p-201.mailbox.org [80.241.56.171]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 9F00568ADF2 for ; Thu, 23 Dec 2021 09:19:45 +0200 (EET) Received: from smtp2.mailbox.org (smtp2.mailbox.org [IPv6:2001:67c:2050:105:465:1:2:0]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-384) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mout-p-201.mailbox.org (Postfix) with ESMTPS id 4JKM5X5v28zQlW7 for ; Thu, 23 Dec 2021 08:19:44 +0100 (CET) X-Virus-Scanned: amavisd-new at heinlein-support.de From: Gyan Doshi To: ffmpeg-devel@ffmpeg.org Date: Thu, 23 Dec 2021 12:49:13 +0530 Message-Id: <20211223071913.50635-2-ffmpeg@gyani.pro> In-Reply-To: <20211223071913.50635-1-ffmpeg@gyani.pro> References: <20211223071913.50635-1-ffmpeg@gyani.pro> MIME-Version: 1.0 Subject: [FFmpeg-devel] [PATCH v3 2/2] avformat/mov: validate box size for stts X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" X-TUID: OpJDiU+9Xh/a --- libavformat/mov.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index e223e95e2e..71404ba07a 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -2968,6 +2968,12 @@ static int mov_read_stts(MOVContext *c, AVIOContext *pb, MOVAtom atom) avio_rb24(pb); /* flags */ entries = avio_rb32(pb); + if (validate_box_size(c, atom, pb, avio_tell(pb)-8, 8+(int64_t)entries*8, 1)) { + av_log(c->fc, AV_LOG_ERROR, "Invalid or incomplete %s box in stream %d\n", + av_fourcc2str(atom.type), c->fc->nb_streams-1); + return AVERROR_INVALIDDATA; + } + av_log(c->fc, AV_LOG_TRACE, "track[%u].stts.entries = %u\n", c->fc->nb_streams-1, entries);