mov: immediately return from mov_fix_index without old index entries

If there are no index entries, e_old = st->index_entries is only one byte large, since it was created by av_realloc called with size 0. Thus accessing e_old[0].timestamp causes a heap buffer overflow. Reviewed-by: Sasi Inguva <isasi@google.com> Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>

mov: immediately return from mov_fix_index without old index entries
If there are no index entries, e_old = st->index_entries is only one byte large, since it was created by av_realloc called with size 0. Thus accessing e_old[0].timestamp causes a heap buffer overflow. Reviewed-by: Sasi Inguva <isasi@google.com> Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
9d83b209 · Andreas Cadhalpun · 6089c44a · 9d83b209
Commit 9d83b209 authored Nov 01, 2016 by Andreas Cadhalpun
Hide whitespace changes
Inline Side-by-side

Showing with 1 addition and 1 deletion

mov.c libavformat/mov.c +1 -1

No files found.
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -2961,7 +2961,7 @@ static void mov_fix_index(MOVContext *mov, AVStream *st)
    int first_non_zero_audio_edit = -1;
    int packet_skip_samples = 0;

-    if (!msc->elst_data || msc->elst_count <= 0) {
+    if (!msc->elst_data || msc->elst_count <= 0 || nb_old <= 0) {
        return;
    }
    // Clean AVStream from traces of old index