videolan
/
ffmpeg
mirror of https://git.videolan.org/git/ffmpeg.git
1
Fork 0
Code Releases Activity

avformat/mov: Fix crash with too big STSZ atoms 

mov_read_stsz() did not ensure that every bit of a buffer is addressable
by an int as is required by the get_bits API, leading to a crash in
ticket #9344. Fix this by restricting the size more thoroughly.

The file from said ticket will then be considered invalid; in the
future, we might read and process the data in chunks to actually support
such files.

Fixes ticket #9344.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
This commit is contained in:
Andreas Rheinhardt 2021-07-24 05:43:12 +02:00
parent f0ed8de1d6
commit c2d853c1aa
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
libavformat/mov.c
View File

@ -2856,7 +2856,7 @@ static int mov_read_stsz(MOVContext *c, AVIOContext *pb, MOVAtom atom)
if (!entries)
return 0;
if (entries >= (UINT_MAX - 4) / field_size)
if (entries >= (INT_MAX - 4 - 8 * AV_INPUT_BUFFER_PADDING_SIZE) / field_size)
return AVERROR_INVALIDDATA;
if (sc->sample_sizes)
av_log(c->fc, AV_LOG_WARNING, "Duplicated STSZ atom\n");