Commit 500e6387 authored by erankor's avatar erankor Committed by Michael Niedermayer

qt-faststart - stricter input validations

1. validate the moov size before checking for cmov atom
2. avoid performing arithmetic operations on unvalidated numbers
3. verify the stco/co64 offset count does not overflow the stco/co64
atom (not only the moov atom)
Signed-off-by: 's avatarMichael Niedermayer <michael@niedermayer.cc>
parent a9dacdee
...@@ -200,6 +200,11 @@ int main(int argc, char *argv[]) ...@@ -200,6 +200,11 @@ int main(int argc, char *argv[])
return 0; return 0;
} }
if (atom_size < 16) {
printf("bad moov atom size\n");
goto error_out;
}
/* moov atom was, in fact, the last atom in the chunk; load the whole /* moov atom was, in fact, the last atom in the chunk; load the whole
* moov atom */ * moov atom */
if (fseeko(infile, -atom_size, SEEK_END)) { if (fseeko(infile, -atom_size, SEEK_END)) {
...@@ -239,12 +244,12 @@ int main(int argc, char *argv[]) ...@@ -239,12 +244,12 @@ int main(int argc, char *argv[])
if (atom_type == STCO_ATOM) { if (atom_type == STCO_ATOM) {
printf(" patching stco atom...\n"); printf(" patching stco atom...\n");
atom_size = BE_32(&moov_atom[i - 4]); atom_size = BE_32(&moov_atom[i - 4]);
if (i + atom_size - 4 > moov_atom_size) { if (atom_size < 16 || atom_size > moov_atom_size - i + 4) {
printf(" bad atom size\n"); printf(" bad atom size\n");
goto error_out; goto error_out;
} }
offset_count = BE_32(&moov_atom[i + 8]); offset_count = BE_32(&moov_atom[i + 8]);
if (i + 12 + offset_count * UINT64_C(4) > moov_atom_size) { if (offset_count > (atom_size - 16) / 4) {
printf(" bad atom size/element count\n"); printf(" bad atom size/element count\n");
goto error_out; goto error_out;
} }
...@@ -260,12 +265,12 @@ int main(int argc, char *argv[]) ...@@ -260,12 +265,12 @@ int main(int argc, char *argv[])
} else if (atom_type == CO64_ATOM) { } else if (atom_type == CO64_ATOM) {
printf(" patching co64 atom...\n"); printf(" patching co64 atom...\n");
atom_size = BE_32(&moov_atom[i - 4]); atom_size = BE_32(&moov_atom[i - 4]);
if (i + atom_size - 4 > moov_atom_size) { if (atom_size < 16 || atom_size > moov_atom_size - i + 4) {
printf(" bad atom size\n"); printf(" bad atom size\n");
goto error_out; goto error_out;
} }
offset_count = BE_32(&moov_atom[i + 8]); offset_count = BE_32(&moov_atom[i + 8]);
if (i + 12 + offset_count * UINT64_C(8) > moov_atom_size) { if (offset_count > (atom_size - 16) / 8) {
printf(" bad atom size/element count\n"); printf(" bad atom size/element count\n");
goto error_out; goto error_out;
} }
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment