[FFmpeg-cvslog] avformat/mov: Error on too large stsd entry counts.

Dale Curtis git at videolan.org
Thu Nov 1 02:55:05 EET 2018


ffmpeg | branch: release/3.3 | Dale Curtis <dalecurtis at chromium.org> | Thu Aug 30 15:18:25 2018 -0700| [1acec9bbf55b9d53c20e8d2f147458262abdc28f] | committer: Michael Niedermayer

avformat/mov: Error on too large stsd entry counts.

Entries are always at least 8 bytes per the parsing code, so if we
see an impossible entry count avoid massive allocations. This is
similar to an existing check in mov_read_stsc().

Since ff_mov_read_stsd_entries() does eof checks, an alternative
approach could be to clamp the entry count to atom.size / 8.

Signed-off-by: Dale Curtis <dalecurtis at chromium.org>
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
(cherry picked from commit 320b631a99a9f759fd1d5460fd4e285d184b8186)
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=1acec9bbf55b9d53c20e8d2f147458262abdc28f
---

 libavformat/mov.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/libavformat/mov.c b/libavformat/mov.c
index f6db8a47b7..f4687db54e 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -2356,7 +2356,8 @@ static int mov_read_stsd(MOVContext *c, AVIOContext *pb, MOVAtom atom)
     avio_rb24(pb); /* flags */
     entries = avio_rb32(pb);
 
-    if (entries <= 0) {
+    /* Each entry contains a size (4 bytes) and format (4 bytes). */
+    if (entries <= 0 || entries > atom.size / 8) {
         av_log(c->fc, AV_LOG_ERROR, "invalid STSD entries %d\n", entries);
         return AVERROR_INVALIDDATA;
     }



More information about the ffmpeg-cvslog mailing list