[FFmpeg-cvslog] avformat/mov: Fix crash with too big STSZ atoms

Andreas Rheinhardt git at videolan.org
Thu Jul 29 00:17:51 EEST 2021


ffmpeg | branch: master | Andreas Rheinhardt <andreas.rheinhardt at outlook.com> | Sat Jul 24 05:43:12 2021 +0200| [c2d853c1aae22bbc7d9905c43a9f16cb2ba3ba33] | committer: Andreas Rheinhardt

avformat/mov: Fix crash with too big STSZ atoms

mov_read_stsz() did not ensure that every bit of a buffer is addressable
by an int as is required by the get_bits API, leading to a crash in
ticket #9344. Fix this by restricting the size more thoroughly.

The file from said ticket will then be considered invalid; in the
future, we might read and process the data in chunks to actually support
such files.

Fixes ticket #9344.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at outlook.com>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=c2d853c1aae22bbc7d9905c43a9f16cb2ba3ba33
---

 libavformat/mov.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavformat/mov.c b/libavformat/mov.c
index 139bcb4b5c..a847003dc2 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -2856,7 +2856,7 @@ static int mov_read_stsz(MOVContext *c, AVIOContext *pb, MOVAtom atom)
 
     if (!entries)
         return 0;
-    if (entries >= (UINT_MAX - 4) / field_size)
+    if (entries >= (INT_MAX - 4 - 8 * AV_INPUT_BUFFER_PADDING_SIZE) / field_size)
         return AVERROR_INVALIDDATA;
     if (sc->sample_sizes)
         av_log(c->fc, AV_LOG_WARNING, "Duplicated STSZ atom\n");



More information about the ffmpeg-cvslog mailing list