[FFmpeg-devel] [PATCH] lavf/mov.c: Fix parsing of edit list atoms with invalid elst entry count.
Michael Niedermayer
michael at niedermayer.cc
Sat Oct 21 02:26:35 EEST 2017
On Wed, Oct 18, 2017 at 08:12:50PM -0700, Sasi Inguva wrote:
> Signed-off-by: Sasi Inguva <isasi at google.com>
> ---
> libavformat/mov.c | 16 +++++++-
> tests/fate/mov.mak | 6 ++-
> tests/ref/fate/mov-invalid-elst-entry-count | 57 +++++++++++++++++++++++++++++
> 3 files changed, 76 insertions(+), 3 deletions(-)
> create mode 100644 tests/ref/fate/mov-invalid-elst-entry-count
>
> diff --git a/libavformat/mov.c b/libavformat/mov.c
> index b22a116140..8d2602c739 100644
> --- a/libavformat/mov.c
> +++ b/libavformat/mov.c
> @@ -4596,7 +4596,7 @@ free_and_return:
> static int mov_read_elst(MOVContext *c, AVIOContext *pb, MOVAtom atom)
> {
> MOVStreamContext *sc;
> - int i, edit_count, version;
> + int i, edit_count, version, elst_entry_size;
>
> if (c->fc->nb_streams < 1 || c->ignore_editlist)
> return 0;
> @@ -4605,6 +4605,15 @@ static int mov_read_elst(MOVContext *c, AVIOContext *pb, MOVAtom atom)
> version = avio_r8(pb); /* version */
> avio_rb24(pb); /* flags */
> edit_count = avio_rb32(pb); /* entries */
> + atom.size -= 8;
> +
> + elst_entry_size = version == 1 ? 20 : 12;
> + if (atom.size != edit_count * elst_entry_size &&
the edit_count * elst_entry_size can overflow
> + c->fc->strict_std_compliance >= FF_COMPLIANCE_STRICT) {
> + av_log(c->fc, AV_LOG_ERROR, "Invalid edit list entry_count: %d for elst atom of size: %"PRId64" bytes.\n",
> + edit_count, atom.size + 8);
> + return AVERROR_INVALIDDATA;
> + }
>
> if (!edit_count)
> return 0;
> @@ -4617,17 +4626,20 @@ static int mov_read_elst(MOVContext *c, AVIOContext *pb, MOVAtom atom)
> return AVERROR(ENOMEM);
>
> av_log(c->fc, AV_LOG_TRACE, "track[%u].edit_count = %i\n", c->fc->nb_streams - 1, edit_count);
> - for (i = 0; i < edit_count && !pb->eof_reached; i++) {
> + for (i = 0; i < edit_count && atom.size > 0 && !pb->eof_reached; i++) {
> MOVElst *e = &sc->elst_data[i];
isnt atom.size < 0 an error condition ?
this could would not error out in that case
is that intended ?
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
Complexity theory is the science of finding the exact solution to an
approximation. Benchmarking OTOH is finding an approximation of the exact
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: Digital signature
URL: <http://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20171021/73bf98f1/attachment.sig>
More information about the ffmpeg-devel
mailing list