[FFmpeg-devel] [PATCH] avformat/mov: validate chunk_count vs stsc_data
chcunningham
chcunningham at chromium.org
Fri Feb 1 03:18:26 EET 2019
Bad content may contain stsc boxes with a first_chunk index that
exceeds stco.entries (chunk_count).
mov_get_stsc_samples now checks for this and returns 0 when
values are invalid.
Also updates MOVStsc to use unsigned ints, per spec.
---
libavformat/isom.h | 6 +++---
libavformat/mov.c | 4 ++--
2 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/libavformat/isom.h b/libavformat/isom.h
index e629663949..8e0d8355b3 100644
--- a/libavformat/isom.h
+++ b/libavformat/isom.h
@@ -59,9 +59,9 @@ typedef struct MOVStts {
} MOVStts;
typedef struct MOVStsc {
- int first;
- int count;
- int id;
+ unsigned int first;
+ unsigned int count;
+ unsigned int id;
} MOVStsc;
typedef struct MOVElst {
diff --git a/libavformat/mov.c b/libavformat/mov.c
index 9b9739f788..dcf4ee8dc1 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -2690,11 +2690,11 @@ static inline int mov_stsc_index_valid(unsigned int index, unsigned int count)
/* Compute the samples value for the stsc entry at the given index. */
static inline int64_t mov_get_stsc_samples(MOVStreamContext *sc, unsigned int index)
{
- int chunk_count;
+ unsigned int chunk_count = 0;
if (mov_stsc_index_valid(index, sc->stsc_count))
chunk_count = sc->stsc_data[index + 1].first - sc->stsc_data[index].first;
- else
+ else if (sc->chunk_count >= sc->stsc_data[index].first)
chunk_count = sc->chunk_count - (sc->stsc_data[index].first - 1);
return sc->stsc_data[index].count * (int64_t)chunk_count;
--
2.20.1.611.gfbb209baf1-goog
More information about the ffmpeg-devel
mailing list