RepoMirrors/ffmpeg
1
0
Fork 0
mirror of https://git.ffmpeg.org/ffmpeg.git synced 2024-12-28 18:32:22 +00:00
Code Issues Projects Releases Wiki Activity

avformat/mov: Check STSD atom more completely

Browse Source 
Fixes out of array read
Fixes: 13262c363a28da8d6bdcc472aed6e9dc/asan_heap-oob_cfb5e2_3733_31cf3fcc783295c34222eb070a784f84.3gp

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This commit is contained in:
Michael Niedermayer 2016-08-20 20:15:29 +02:00
parent a31e08fa1a
commit 8b43ee4054
1 changed files with 24 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
libavformat/mov.c
View File

@ -2322,6 +2322,7 @@ static int mov_read_stsd(MOVContext *c, AVIOContext *pb, MOVAtom atom)
AVStream *st;
MOVStreamContext *sc;
int ret;
int entries;
if (c->fc->nb_streams < 1)
return 0;
@ -2330,21 +2331,31 @@ static int mov_read_stsd(MOVContext *c, AVIOContext *pb, MOVAtom atom)
avio_r8(pb); /* version */
avio_rb24(pb); /* flags */
sc->stsd_count = avio_rb32(pb); /* entries */
entries = avio_rb32(pb); /* entries */
if (entries <= 0) {
av_log(c->fc, AV_LOG_ERROR, "invalid STSD entries %d\n", entries);
return AVERROR_INVALIDDATA;
}
if (sc->extradata) {
av_log(c->fc, AV_LOG_ERROR, "Duplicate STSD\n");
return AVERROR_INVALIDDATA;
}
/* Prepare space for hosting multiple extradata. */
sc->extradata = av_mallocz_array(sc->stsd_count, sizeof(*sc->extradata));
if (!sc->extradata)
return AVERROR(ENOMEM);
sc->extradata = av_mallocz_array(entries, sizeof(*sc->extradata));
sc->extradata_size = av_mallocz_array(entries, sizeof(*sc->extradata_size));
if (!sc->extradata_size || !sc->extradata) {
ret = AVERROR(ENOMEM);
goto fail;
}
sc->extradata_size = av_mallocz_array(sc->stsd_count, sizeof(*sc->extradata_size));
if (!sc->extradata_size)
return AVERROR(ENOMEM);
ret = ff_mov_read_stsd_entries(c, pb, sc->stsd_count);
ret = ff_mov_read_stsd_entries(c, pb, entries);
if (ret < 0)
return ret;
sc->stsd_count = entries;
/* Restore back the primary extradata. */
av_freep(&st->codecpar->extradata);
st->codecpar->extradata_size = sc->extradata_size[0];
@ -2356,6 +2367,10 @@ static int mov_read_stsd(MOVContext *c, AVIOContext *pb, MOVAtom atom)
}
return 0;
fail:
av_freep(&sc->extradata);
av_freep(&sc->extradata_size);
return ret;
}
static int mov_read_stsc(MOVContext *c, AVIOContext *pb, MOVAtom atom)