diff options
| author | Michael Niedermayer <michael@niedermayer.cc> | 2018-03-16 19:53:36 +0100 |
|---|---|---|
| committer | Michael Niedermayer <michael@niedermayer.cc> | 2018-07-08 19:45:45 +0200 |
| commit | 0288fa9319d5f3f7aa65c37d26ec7f90bfcdae02 (patch) | |
| tree | c78a0926cb690128739879aa5895bd5977bd78f1 | |
| parent | f6a55b04904e3de235075c5e8b657c534cbe0d24 (diff) | |
| download | ffmpeg-0288fa9319d5f3f7aa65c37d26ec7f90bfcdae02.tar.gz | |
avformat/mov: Check STSC and remove invalid entries
Fixes assertion failure
Fixes: crbug 822547, crbug 822666 and crbug 823009
Affects: aark15sd_9A62E2FA.mp4
Found-by: ClusterFuzz
Reviewed-by: Matt Wolenetz <wolenetz@google.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 9e67447a4ffacf28af8bace33faf3ea432ddc43e)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
| -rw-r--r-- | libavformat/mov.c | 20 |
1 files changed, 20 insertions, 0 deletions
diff --git a/libavformat/mov.c b/libavformat/mov.c index 519d3b8d6c..9f638c4650 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -2412,6 +2412,21 @@ static int mov_read_stsc(MOVContext *c, AVIOContext *pb, MOVAtom atom) } sc->stsc_count = i; + for (i = sc->stsc_count - 1; i < UINT_MAX; i--) { + if ((i+1 < sc->stsc_count && sc->stsc_data[i].first >= sc->stsc_data[i+1].first) || + (i > 0 && sc->stsc_data[i].first <= sc->stsc_data[i-1].first) || + sc->stsc_data[i].first < 1 || + sc->stsc_data[i].count < 1 || + sc->stsc_data[i].id < 1) { + av_log(c->fc, AV_LOG_WARNING, "STSC entry %d is invalid (first=%d count=%d id=%d)\n", i, sc->stsc_data[i].first, sc->stsc_data[i].count, sc->stsc_data[i].id); + if (i+1 >= sc->stsc_count || sc->stsc_data[i+1].first < 2) + return AVERROR_INVALIDDATA; + // We replace this entry by the next valid + sc->stsc_data[i].first = sc->stsc_data[i+1].first - 1; + sc->stsc_data[i].count = sc->stsc_data[i+1].count; + sc->stsc_data[i].id = sc->stsc_data[i+1].id; + } + } if (pb->eof_reached) return AVERROR_EOF; @@ -3606,6 +3621,11 @@ static int mov_read_trak(MOVContext *c, AVIOContext *pb, MOVAtom atom) st->index); return 0; } + if (sc->stsc_count && sc->stsc_data[ sc->stsc_count - 1 ].first > sc->chunk_count) { + av_log(c->fc, AV_LOG_ERROR, "stream %d, contradictionary STSC and STCO\n", + st->index); + return AVERROR_INVALIDDATA; + } fix_timescale(c, sc); |