From 500e6387116230c905b7a39baae7aa86d627a446 Mon Sep 17 00:00:00 2001 From: erankor Date: Tue, 29 May 2018 16:18:05 +0300 Subject: [PATCH] qt-faststart - stricter input validations 1. validate the moov size before checking for cmov atom 2. avoid performing arithmetic operations on unvalidated numbers 3. verify the stco/co64 offset count does not overflow the stco/co64 atom (not only the moov atom) Signed-off-by: Michael Niedermayer --- tools/qt-faststart.c | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/tools/qt-faststart.c b/tools/qt-faststart.c index 97be019c58..d0ae7245f3 100644 --- a/tools/qt-faststart.c +++ b/tools/qt-faststart.c @@ -200,6 +200,11 @@ int main(int argc, char *argv[]) return 0; } + if (atom_size < 16) { + printf("bad moov atom size\n"); + goto error_out; + } + /* moov atom was, in fact, the last atom in the chunk; load the whole * moov atom */ if (fseeko(infile, -atom_size, SEEK_END)) { @@ -239,12 +244,12 @@ int main(int argc, char *argv[]) if (atom_type == STCO_ATOM) { printf(" patching stco atom...\n"); atom_size = BE_32(&moov_atom[i - 4]); - if (i + atom_size - 4 > moov_atom_size) { + if (atom_size < 16 || atom_size > moov_atom_size - i + 4) { printf(" bad atom size\n"); goto error_out; } offset_count = BE_32(&moov_atom[i + 8]); - if (i + 12 + offset_count * UINT64_C(4) > moov_atom_size) { + if (offset_count > (atom_size - 16) / 4) { printf(" bad atom size/element count\n"); goto error_out; } @@ -260,12 +265,12 @@ int main(int argc, char *argv[]) } else if (atom_type == CO64_ATOM) { printf(" patching co64 atom...\n"); atom_size = BE_32(&moov_atom[i - 4]); - if (i + atom_size - 4 > moov_atom_size) { + if (atom_size < 16 || atom_size > moov_atom_size - i + 4) { printf(" bad atom size\n"); goto error_out; } offset_count = BE_32(&moov_atom[i + 8]); - if (i + 12 + offset_count * UINT64_C(8) > moov_atom_size) { + if (offset_count > (atom_size - 16) / 8) { printf(" bad atom size/element count\n"); goto error_out; }