[FFmpeg-devel] check size of stsc allocation

Fredrik Hubinette hubbe at google.com
Tue Nov 14 03:08:11 EET 2017


This patch checks that the memory allocated for stsc entries isn't larger
than the atom.
Without this, corrupt data can easily try to allocate all the memory,
causing a crash.

---
 libavformat/mov.c       | 2 ++


 1 file changed, 2 insertions(+)





diff --git a/libavformat/mov.c b/libavformat/mov.c


index 7d1bd9950a..4fef73c8ed 100644


--- a/libavformat/mov.c


+++ b/libavformat/mov.c


@@ -2618,6 +2618,8 @@ static int mov_read_stsc(MOVContext *c, AVIOContext
*pb, MOVAtom atom)
     avio_rb24(pb); /* flags */





     entries = avio_rb32(pb);


+    if (((size_t)entries) * 12 + 4 > atom.size)


+      return AVERROR_INVALIDDATA;





     av_log(c->fc, AV_LOG_TRACE, "track[%u].stsc.entries = %u\n",
c->fc->nb_streams - 1, entries);




--


2.15.0.448.gf294e3d99a-goog


More information about the ffmpeg-devel mailing list