From patchwork Thu Nov 16 01:25:47 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Fredrik Hubinette X-Patchwork-Id: 6112 Delivered-To: ffmpegpatchwork@gmail.com Received: by 10.2.161.94 with SMTP id m30csp5262976jah; Wed, 15 Nov 2017 17:25:58 -0800 (PST) X-Google-Smtp-Source: AGs4zMbP7dgQA6sxdvGzd0E5P1p5+ETsOxE2U57urXPKsfC59vLEc3FxA6AhqxJie0cvSTndNMJS X-Received: by 10.223.176.8 with SMTP id f8mr9159wra.80.1510795558279; Wed, 15 Nov 2017 17:25:58 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1510795558; cv=none; d=google.com; s=arc-20160816; b=d0mGBwvkJGIUztvKck3hAiTBiUoXNSgJSlh1GMtI3MrzLMT9VFAHXdSpqSSsrotp/z YGYNtgXTy1qNAGQlh6sMhgfsOeedK2wx/955ysl3rOTbIy9zMiHU495Y5dySxZOENU48 pTh02pkga0soISrA8HeGIM3smQhBQ4hvFQS6OROZuTJ0Oa86VKSovckmUQvhXcVZaolT BQUxq0YgX1BpEFJQh6kmAAHf7UpS9YEcTbNnsSu7M8CnssQvB81ab8y0GvkLRxJ/GZFr Pkv9uUwlJuSLDEf2z5jFlm7G2O0gkTCo7U6HZy1cTaCRAcF4iIepICBx5CcgpSqzppSf vxMg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:reply-to:list-subscribe:list-help:list-post :list-archive:list-unsubscribe:list-id:precedence:subject:to :message-id:date:from:references:in-reply-to:mime-version :dkim-signature:delivered-to:arc-authentication-results; bh=qMIlU5966kEebXVRKhf8L4GgK7JUhMchAIyf1pwtCm8=; b=sn2TYnfxjOJyIAB/hVszJ5+v/1XMNUf6hKGSEjWljfofY3tadbAFlcm9/8tFL0Pmzl zIsURCD1o7qi9Gob7xmBLAvDNbEHYYH2R079+sb/VoOiFCKDNle66ZQhEJLOnE6s7nZA 76sJaS9IMnaIVRsXNIT3j4K4xCjYdkYGt+Mf6h/s7k69BxWn8GvVo14+wiP9+3XJlAbv WgHHpU/qBEixyBlK0jPI5fbQwvfw+LgsGBTMHWH8dIQoKkrejIP6jtlo5PuZkjqBMo8a tDK3vMlz/ZARoHd0dqnkl4aW8uJ12NFUa6Ns0RuJgAAQVLCu48wx85NWU87sOSvbZj3G IXIA== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@google.com header.s=20161025 header.b=Bb8qQSMC; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id b1si1638336wrg.487.2017.11.15.17.25.56; Wed, 15 Nov 2017 17:25:58 -0800 (PST) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@google.com header.s=20161025 header.b=Bb8qQSMC; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 0443E68A0C3; Thu, 16 Nov 2017 03:25:40 +0200 (EET) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from mail-wr0-f174.google.com (mail-wr0-f174.google.com [209.85.128.174]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 53C85689E0E for ; Thu, 16 Nov 2017 03:25:34 +0200 (EET) Received: by mail-wr0-f174.google.com with SMTP id u97so22063612wrc.1 for ; Wed, 15 Nov 2017 17:25:50 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=aWfcoATnIM337cfpawjx3qYhViZVYm1P8hwU3gbju7k=; b=Bb8qQSMCRl7ReYWJkSq6BLOl1cnBRaM0j1fLZzU/O/biDutALBlQF5T83JpzEDn+hA SzmEt5Gtinf8sl1zWAGdLjeJy+I5tyaoE77sNOXcAivOK64rfoH6IrSX0FlUmgvc1cRx 46DK99qA0B3nrmua6R1xgFt51jWJevXfN+hdwEwhTiOnLmwKDbCTwjXGxR7Xw5j8A7mH 9fZt/EaA0Netfx6n/z/q0dX1eHAORabCiaZH7NVxHFM3Mu0DWjplrOeb7hX2hGzJLXiM hTxFJKaNdSFN0L/sC5R4tzen18jH5cciJaTon1oiyfamJmgKlChEC3HoS92NEFx2Ag2b 7XGQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=aWfcoATnIM337cfpawjx3qYhViZVYm1P8hwU3gbju7k=; b=rlkawPsdSpWbcqdxLtygalyqd0ZMKMLUXriZGZHInT8FJjsq5FEyFANmIICalppJWD SY4V6ffbGrUcO69B7t9qdx8JqSvFt6KjcWC/tTOj5oBJjapWoR3UNLHlRd1+h0a4jmpH qwl8T053WsO3U1Pjrm5/x9XG6igIuDWhwZXmnNK4hySDtZhjY+QmFI//FQ+li8TZOJCK jdXDkxDbz8IAe71Ovga87ScVixF2hB5wPnPp/kgbmOu+L9J7p//NxstAH6iOqisecY/T oKLq24oKu8wGOewlpsqmqnqnMD4dWpSs+pJqH1zMWhBK3uNPjFvl/G+PFmZrJP+aykI/ NaxQ== X-Gm-Message-State: AJaThX6B4HomZIMXmq0D6FW3Ofi0s8gmyilWSFZnNh9j3J7GfHBDiNYD 11SuIw3MyZeTMBDCzyMTy18agrW+ToHHNGwhsArca828 X-Received: by 10.223.163.216 with SMTP id m24mr14006637wrb.107.1510795548808; Wed, 15 Nov 2017 17:25:48 -0800 (PST) MIME-Version: 1.0 Received: by 10.28.237.4 with HTTP; Wed, 15 Nov 2017 17:25:47 -0800 (PST) In-Reply-To: References: From: Fredrik Hubinette Date: Wed, 15 Nov 2017 17:25:47 -0800 Message-ID: To: FFmpeg development discussions and patches X-Content-Filtered-By: Mailman/MimeDel 2.1.20 Subject: Re: [FFmpeg-devel] Check size of STSC allocation X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" Fixed indentation. On Wed, Nov 15, 2017 at 3:40 PM, Carl Eugen Hoyos wrote: > 2017-11-16 0:21 GMT+01:00 Fredrik Hubinette org>: > > This patch checks that the memory allocated for stsc entries isn't larger > > than the atom. > > Consider fixing the indentation of the second added line, > making the committer's life easier. > > Thank you, Carl Eugen > _______________________________________________ > ffmpeg-devel mailing list > ffmpeg-devel@ffmpeg.org > http://ffmpeg.org/mailman/listinfo/ffmpeg-devel > From 13afb2b1a5d135b6aed55b910a4146da972a6e01 Mon Sep 17 00:00:00 2001 From: Fredrik Hubinette Date: Wed, 15 Nov 2017 17:24:30 -0800 Subject: [PATCH] Check size of STSC allocation --- libavformat/mov.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index 7d1bd9950a..46862512ac 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -2618,6 +2618,8 @@ static int mov_read_stsc(MOVContext *c, AVIOContext *pb, MOVAtom atom) avio_rb24(pb); /* flags */ entries = avio_rb32(pb); + if ((uint64_t)entries * 12 + 4 > atom.size) + return AVERROR_INVALIDDATA; av_log(c->fc, AV_LOG_TRACE, "track[%u].stsc.entries = %u\n", c->fc->nb_streams - 1, entries); -- 2.15.0.448.gf294e3d99a-goog