mov: stsd entries must be at least 16 byte

Fix near infinite loop in stsd parsing. Bug found by: Diana Elena Muscalu The size is unsigned according the specification. Signed-off-by: Michael Niedermayer <michaelni@gmx.at> Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
author: Michael Niedermayer <michaelni@gmx.at> 2011-12-15 20:51:00 +0100
committer: Luca Barbato <lu_zero@gentoo.org> 2012-09-16 16:53:06 +0200
commit: a5ea623b364b8a605fc92c973a98cd66cb7e6a5d (patch)
tree: 4d5c1f90dd5ff82b301ca645ea624cc2537c4fd3
parent: 9db67bedf0e517c19dad02db1752a5dfb52eaa69 (diff)
download: ffmpeg-a5ea623b364b8a605fc92c973a98cd66cb7e6a5d.tar.gz
1 files changed, 4 insertions, 1 deletions
diff --git a/libavformat/mov.c b/libavformat/mov.c
index 09228cb011..87c890ebfc 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -1098,13 +1098,16 @@ int ff_mov_read_stsd_entries(MOVContext *c, AVIOContext *pb, int entries)
         int dref_id = 1;
         MOVAtom a = { AV_RL32("stsd") };
         int64_t start_pos = avio_tell(pb);
-        int size = avio_rb32(pb); /* size */
+        uint32_t size = avio_rb32(pb); /* size */
         uint32_t format = avio_rl32(pb); /* data format */
 
         if (size >= 16) {
             avio_rb32(pb); /* reserved */
             avio_rb16(pb); /* reserved */
             dref_id = avio_rb16(pb);
+        } else {
+            av_log(c->fc, AV_LOG_ERROR, "invalid size %d in stsd\n", size);
+            return AVERROR_INVALIDDATA;
         }
 
         if (st->codec->codec_tag &&
author	Michael Niedermayer <michaelni@gmx.at>	2011-12-15 20:51:00 +0100
committer	Luca Barbato <lu_zero@gentoo.org>	2012-09-16 16:53:06 +0200
commit	a5ea623b364b8a605fc92c973a98cd66cb7e6a5d (patch)
tree	4d5c1f90dd5ff82b301ca645ea624cc2537c4fd3
parent	9db67bedf0e517c19dad02db1752a5dfb52eaa69 (diff)
download	ffmpeg-a5ea623b364b8a605fc92c973a98cd66cb7e6a5d.tar.gz