avformat/mov: Error on too large stsd entry counts.

Entries are always at least 8 bytes per the parsing code, so if we see an impossible entry count avoid massive allocations. This is similar to an existing check in mov_read_stsc(). Since ff_mov_read_stsd_entries() does eof checks, an alternative approach could be to clamp the entry count to atom.size / 8. Signed-off-by: Dale Curtis <dalecurtis@chromium.org> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

avformat/mov: Error on too large stsd entry counts.
Entries are always at least 8 bytes per the parsing code, so if we see an impossible entry count avoid massive allocations. This is similar to an existing check in mov_read_stsc(). Since ff_mov_read_stsd_entries() does eof checks, an alternative approach could be to clamp the entry count to atom.size / 8. Signed-off-by: Dale Curtis <dalecurtis@chromium.org> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
320b631a · Dale Curtis · Michael Niedermayer · a82e4fb8 · 320b631a
Commit 320b631a authored Aug 30, 2018 by Dale Curtis Committed by Michael Niedermayer Sep 01, 2018
Hide whitespace changes
Inline Side-by-side

Showing with 2 additions and 1 deletion

mov.c libavformat/mov.c +2 -1

No files found.
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -2558,7 +2558,8 @@ static int mov_read_stsd(MOVContext *c, AVIOContext *pb, MOVAtom atom)
    avio_rb24(pb); /* flags */
    entries = avio_rb32(pb);

-    if (entries <= 0) {
+    /* Each entry contains a size (4 bytes) and format (4 bytes). */
+    if (entries <= 0 || entries > atom.size / 8) {
        av_log(c->fc, AV_LOG_ERROR, "invalid STSD entries %d\n", entries);
        return AVERROR_INVALIDDATA;
    }