[FFmpeg-cvslog] avformat/mov: Fix crash with too big STSZ atoms
Andreas Rheinhardt
git at videolan.org
Thu Jul 29 00:17:51 EEST 2021
ffmpeg | branch: master | Andreas Rheinhardt <andreas.rheinhardt at outlook.com> | Sat Jul 24 05:43:12 2021 +0200| [c2d853c1aae22bbc7d9905c43a9f16cb2ba3ba33] | committer: Andreas Rheinhardt
avformat/mov: Fix crash with too big STSZ atoms
mov_read_stsz() did not ensure that every bit of a buffer is addressable
by an int as is required by the get_bits API, leading to a crash in
ticket #9344. Fix this by restricting the size more thoroughly.
The file from said ticket will then be considered invalid; in the
future, we might read and process the data in chunks to actually support
such files.
Fixes ticket #9344.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at outlook.com>
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=c2d853c1aae22bbc7d9905c43a9f16cb2ba3ba33
---
libavformat/mov.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libavformat/mov.c b/libavformat/mov.c
index 139bcb4b5c..a847003dc2 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -2856,7 +2856,7 @@ static int mov_read_stsz(MOVContext *c, AVIOContext *pb, MOVAtom atom)
if (!entries)
return 0;
- if (entries >= (UINT_MAX - 4) / field_size)
+ if (entries >= (INT_MAX - 4 - 8 * AV_INPUT_BUFFER_PADDING_SIZE) / field_size)
return AVERROR_INVALIDDATA;
if (sc->sample_sizes)
av_log(c->fc, AV_LOG_WARNING, "Duplicated STSZ atom\n");
More information about the ffmpeg-cvslog
mailing list