avformat/mov: Error on too large stsd entry counts.

Entries are always at least 8 bytes per the parsing code, so if we see an impossible entry count avoid massive allocations. This is similar to an existing check in mov_read_stsc(). Since ff_mov_read_stsd_entries() does eof checks, an alternative approach could be to clamp the entry count to atom.size / 8. Signed-off-by: Dale Curtis <dalecurtis@chromium.org> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 320b631a99a9f759fd1d5460fd4e285d184b8186) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
author: Dale Curtis <dalecurtis@chromium.org> 2018-08-30 15:18:25 -0700
committer: Michael Niedermayer <michael@niedermayer.cc> 2018-11-01 00:52:46 +0100
commit: 1acec9bbf55b9d53c20e8d2f147458262abdc28f (patch)
tree: 3cba476b955f79e386738d13a95e21a8f58d986f
parent: 7266a6d23c8943d76cf1e056671c9a8bd9902069 (diff)
download: ffmpeg-1acec9bbf55b9d53c20e8d2f147458262abdc28f.tar.gz
1 files changed, 2 insertions, 1 deletions
diff --git a/libavformat/mov.c b/libavformat/mov.c
index f6db8a47b7..f4687db54e 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -2356,7 +2356,8 @@ static int mov_read_stsd(MOVContext *c, AVIOContext *pb, MOVAtom atom)
     avio_rb24(pb); /* flags */
     entries = avio_rb32(pb);
 
-    if (entries <= 0) {
+    /* Each entry contains a size (4 bytes) and format (4 bytes). */
+    if (entries <= 0 || entries > atom.size / 8) {
         av_log(c->fc, AV_LOG_ERROR, "invalid STSD entries %d\n", entries);
         return AVERROR_INVALIDDATA;
     }
author	Dale Curtis <dalecurtis@chromium.org>	2018-08-30 15:18:25 -0700
committer	Michael Niedermayer <michael@niedermayer.cc>	2018-11-01 00:52:46 +0100
commit	1acec9bbf55b9d53c20e8d2f147458262abdc28f (patch)
tree	3cba476b955f79e386738d13a95e21a8f58d986f
parent	7266a6d23c8943d76cf1e056671c9a8bd9902069 (diff)
download	ffmpeg-1acec9bbf55b9d53c20e8d2f147458262abdc28f.tar.gz