mirror of
https://git.videolan.org/git/ffmpeg.git
synced 2024-10-04 09:37:53 +02:00
mov: stsd entries must be at least 16 byte
Fix near infinite loop in stsd parsing. Bug found by: Diana Elena Muscalu The size is unsigned according the specification. Signed-off-by: Michael Niedermayer <michaelni@gmx.at> Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
This commit is contained in:
parent
9db67bedf0
commit
a5ea623b36
@ -1098,13 +1098,16 @@ int ff_mov_read_stsd_entries(MOVContext *c, AVIOContext *pb, int entries)
|
|||||||
int dref_id = 1;
|
int dref_id = 1;
|
||||||
MOVAtom a = { AV_RL32("stsd") };
|
MOVAtom a = { AV_RL32("stsd") };
|
||||||
int64_t start_pos = avio_tell(pb);
|
int64_t start_pos = avio_tell(pb);
|
||||||
int size = avio_rb32(pb); /* size */
|
uint32_t size = avio_rb32(pb); /* size */
|
||||||
uint32_t format = avio_rl32(pb); /* data format */
|
uint32_t format = avio_rl32(pb); /* data format */
|
||||||
|
|
||||||
if (size >= 16) {
|
if (size >= 16) {
|
||||||
avio_rb32(pb); /* reserved */
|
avio_rb32(pb); /* reserved */
|
||||||
avio_rb16(pb); /* reserved */
|
avio_rb16(pb); /* reserved */
|
||||||
dref_id = avio_rb16(pb);
|
dref_id = avio_rb16(pb);
|
||||||
|
} else {
|
||||||
|
av_log(c->fc, AV_LOG_ERROR, "invalid size %d in stsd\n", size);
|
||||||
|
return AVERROR_INVALIDDATA;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (st->codec->codec_tag &&
|
if (st->codec->codec_tag &&
|
||||||
|
Loading…
Reference in New Issue
Block a user