From patchwork Mon Jul 31 21:40:28 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dale Curtis X-Patchwork-Id: 4555 Delivered-To: ffmpegpatchwork@gmail.com Received: by 10.103.1.85 with SMTP id 82csp2864995vsb; Mon, 31 Jul 2017 14:40:59 -0700 (PDT) X-Received: by 10.28.66.147 with SMTP id k19mr12939531wmi.31.1501537258787; Mon, 31 Jul 2017 14:40:58 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1501537258; cv=none; d=google.com; s=arc-20160816; b=ZTtL0jLjL46pZUu98EPa3ctf06BF0HmJ7SNrFqXSP7GKMmfaD3wzHxui9ZVjf89stz A9dPdISGcG7XIlLoFOJYroGcZHU7d3mGIfw2q/XbWVgpsRICMqapaFieO6fVZ4HQMwX6 iVjrqdj+N2Pe9eWWSEuTaVDu3obqSyPptCY1lazkg9o+wcuanhlbk12TQIRS65cLaKAg uzqZmUpXqH12ikCvA9roRYwPkm1iMsGqw9FwxOzyN2VUu/W3oBO5EtI/wJQciSXuBBz3 KZ/Bx7nXrcRbarWHqSt1dgV13rjS1zD6o4AD11ntN6+khtk80QvVN6bqjyJiMlqjgd2S aIvg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:reply-to:list-subscribe:list-help:list-post :list-archive:list-unsubscribe:list-id:precedence:subject:to :message-id:date:from:mime-version:dkim-signature:dkim-signature :delivered-to:arc-authentication-results; bh=c7n9Ao9360e1ccZL9DND/sXybEra5ZZaotn2WTBLawA=; b=lOfrPo30ETXvayQqdIq6eyl3LLW7AdSS/TOF4xs6SDAXLZ3e11yiiNLqx1ZdOgllnA jrGlwFSj4Ut0yXMrCFpYVssNWl6s7aQdCf6Gj4hM7vspqtSopvxd/jwDHpshSxBq3I3f jGACNT64Cq59u1Cd8Ea0g94KCc7/GuFl/czVi829Iv4wJUEtk8ZagHVXE4YmQ8rLPqHG 4P6EmrEYRmXIg7yQnlXmIPguCGgBsnrLoHbihB9bP8PK9ZP6m+xz8Lo+NnhoqkI4bAVw Y61KHE9M9pHEE5FfEbtZ3fmebfV9GIqbodURx91YfxGcvgLo+YZ6A6NWv0+7RvvoFI5h 3miA== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@google.com header.b=MN9qkF0l; dkim=neutral (body hash did not verify) header.i=@chromium.org header.b=DSfo4LYm; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id q203si8945563wme.186.2017.07.31.14.40.58; Mon, 31 Jul 2017 14:40:58 -0700 (PDT) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@google.com header.b=MN9qkF0l; dkim=neutral (body hash did not verify) header.i=@chromium.org header.b=DSfo4LYm; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 73CCA68A290; Tue, 1 Aug 2017 00:40:53 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from mail-wr0-f177.google.com (mail-wr0-f177.google.com [209.85.128.177]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id B79736899CE for ; Tue, 1 Aug 2017 00:40:47 +0300 (EEST) Received: by mail-wr0-f177.google.com with SMTP id k71so130661379wrc.2 for ; Mon, 31 Jul 2017 14:40:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:sender:from:date:message-id:subject:to; bh=HG+X6Jo6nE48betXbISL/Mn9oKdwd26/EAIaWlVXHiE=; b=MN9qkF0lYvuaTfvGtMGEo97bzCofQRYVB9hUDI7NGb9cnr3p7vTFBZMR+f/E3uyNkl 5kuEqwIPg5Mfp/SpBcid6kqe5dOey+XhwhEUXiQ298uhtZaZkBjPv9kr0sO5034b2IYW dHj/ASecK+Tj50AsE8hYNgX6nOVt3XeWrGJEo1QiCiR3sw+qiinHHSXYctCUR2HBSG3V gwycpDC3/Rzhumlt+7LWY4RnhQRtRrTbVqXTAxNpRE8YAkNX0+iFzXnMle0WZNCJtgvr oaznmSn8a+caWi+WJMB4mGzDsS6PT3CeSDxMsQAkNEDJhS8592w9/JTAN7Sf6TDjEMge ssGQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:sender:from:date:message-id:subject:to; bh=HG+X6Jo6nE48betXbISL/Mn9oKdwd26/EAIaWlVXHiE=; b=DSfo4LYmxb3OoqUA4e1VXAUWmCEa5m4RO9RJxq82BwJFndtjkjvFahkeb65HsESBQJ XXmJZAFGn282A0B+TLTGQMaNg+QIBmMLIJQl1CzTDW4x9+NVtc2UPUQzMeoD4RJpE1WR s8a0gZmu0NcOrgZAKqHgkNDyqvOyZoKX+kCz0= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:from:date:message-id:subject :to; bh=HG+X6Jo6nE48betXbISL/Mn9oKdwd26/EAIaWlVXHiE=; b=ZvQzV6xPVWciA1d+d8tDkh+KNSQPc6spyc/z4J61KpsyH8tfqQPXnJe7WDzKFJc5Gs 5dd92bvrb/Vvh3pZ01jrB0HYboZHWMU9bKX8UEO7wHmIxqb9gicZ1X2r7O1VEGdU++Du UJMkU8BKU8tqk0lPXbp2tBKO/shSX3Vj9Zvs3MQVghyWc28qZ1LhnEVjT69FqPx06wpN 1kW+YjjqnOYwePfmpGd8YFFP+UZv0hADI28IEOhoUD+EaVVeC+zW/hAfq9LiTtKKFU4c tgQJ3EIkAhZcXfa0kNsUv0aX9JTTb6GxWoVs9GfIOn2VJPuaTORf5bCrfJqUOki4lef4 QoZA== X-Gm-Message-State: AIVw112B1lJ2rTu12YouZxygdgZjpB8LFM5LEv2dPAuwBYUNMIost4KW FDz11/PmipaEeCV+ufTEyW1ZbwCCtfwffEf0eQ== X-Received: by 10.223.183.15 with SMTP id l15mr16395591wre.260.1501537249298; Mon, 31 Jul 2017 14:40:49 -0700 (PDT) MIME-Version: 1.0 Received: by 10.28.11.131 with HTTP; Mon, 31 Jul 2017 14:40:28 -0700 (PDT) From: Dale Curtis Date: Mon, 31 Jul 2017 14:40:28 -0700 X-Google-Sender-Auth: gR8_j17gdpigPHzAjA89-x3xbjo Message-ID: To: FFmpeg development discussions and patches X-Content-Filtered-By: Mailman/MimeDel 2.1.20 Subject: [FFmpeg-devel] [mov] Bail when invalid sample data is present. X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" [mov] Bail when invalid sample data is present. ctts data in ffmpeg relies on the index entries array to be 1:1 with samples... yet sc->sample_count can be read directly from the 'stsz' box and index entries are only generated if a chunk count has been read from 'stco' box. Ensure that if sc->sample_count > 0, sc->chunk_count is too. This should be applied on top of the ctts fixes in my previous patch. From e3b51516046255540c5a76b41e02cee7f0902541 Mon Sep 17 00:00:00 2001 From: Dale Curtis Date: Mon, 31 Jul 2017 13:44:22 -0700 Subject: [PATCH] [mov] Bail when invalid sample data is present. ctts data in ffmpeg relies on the index entries array to be 1:1 with samples... yet sc->sample_count can be read directly from the 'stsz' box and index entries are only generated if a chunk count has been read from 'stco' box. Ensure that if sc->sample_count > 0, sc->chunk_count is too. --- libavformat/mov.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index ab8e914581..5fe9bfac59 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -3750,8 +3750,9 @@ static int mov_read_trak(MOVContext *c, AVIOContext *pb, MOVAtom atom) c->trak_index = -1; /* sanity checks */ - if (sc->chunk_count && (!sc->stts_count || !sc->stsc_count || - (!sc->sample_size && !sc->sample_count))) { + if ((sc->chunk_count && (!sc->stts_count || !sc->stsc_count || + (!sc->sample_size && !sc->sample_count))) || + (!sc->chunk_count && sc->sample_count)) { av_log(c->fc, AV_LOG_ERROR, "stream %d, missing mandatory atoms, broken header\n", st->index); return 0; -- 2.14.0.rc0.400.g1c36432dff-goog