diff options
| author | chcunningham <chcunningham@chromium.org> | 2018-12-13 13:58:40 -0800 |
|---|---|---|
| committer | Michael Niedermayer <michael@niedermayer.cc> | 2019-03-24 10:38:51 +0100 |
| commit | cb901e183608b58b6ed9aea0f11c77b20967fe0e (patch) | |
| tree | 0b166ad686879aed9ba806d05728cf640174bbd5 | |
| parent | 04fe02bd80bc8dddd1e9d5a1cc9d336fc3a5a6da (diff) | |
| download | ffmpeg-cb901e183608b58b6ed9aea0f11c77b20967fe0e.tar.gz | |
lavf/mov: ensure only one tkhd per trak
Chromium fuzzing produced a whacky file with extra tkhds. This caused
an AVStream that was already in use to be corrupted by assigning it a
new id, which blows up later in mov_read_trun because the
MOVFragmentStreamInfo.index_entry now points OOB.
Reviewed-by: Baptiste Coudurier <baptiste.coudurier@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit c9f7b6f7a9fdffa0ab8f3aa84a1f701cf5b3a6e9)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
| -rw-r--r-- | libavformat/mov.c | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/libavformat/mov.c b/libavformat/mov.c index 2328b8f445..6e954dd444 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -3805,7 +3805,7 @@ static int mov_read_trak(MOVContext *c, AVIOContext *pb, MOVAtom atom) st = avformat_new_stream(c->fc, NULL); if (!st) return AVERROR(ENOMEM); - st->id = c->fc->nb_streams; + st->id = -1; sc = av_mallocz(sizeof(MOVStreamContext)); if (!sc) return AVERROR(ENOMEM); @@ -4087,6 +4087,11 @@ static int mov_read_tkhd(MOVContext *c, AVIOContext *pb, MOVAtom atom) st = c->fc->streams[c->fc->nb_streams-1]; sc = st->priv_data; + // Each stream (trak) should have exactly 1 tkhd. This catches bad files and + // avoids corrupting AVStreams mapped to an earlier tkhd. + if (st->id != -1) + return AVERROR_INVALIDDATA; + version = avio_r8(pb); flags = avio_rb24(pb); st->disposition |= (flags & MOV_TKHD_FLAG_ENABLED) ? AV_DISPOSITION_DEFAULT : 0; |