avformat/mov: replace a value error by clipping into valid range in mov_read_stsc()

Fixes: #7165

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This commit is contained in:
Michael Niedermayer 2018-05-21 03:16:58 +02:00
parent 919e37377a
commit fe84f70819
1 changed files with 11 additions and 3 deletions

View File

@ -2642,14 +2642,22 @@ static int mov_read_stsc(MOVContext *c, AVIOContext *pb, MOVAtom atom)
sc->stsc_count = i; sc->stsc_count = i;
for (i = sc->stsc_count - 1; i < UINT_MAX; i--) { for (i = sc->stsc_count - 1; i < UINT_MAX; i--) {
int64_t first_min = i + 1;
if ((i+1 < sc->stsc_count && sc->stsc_data[i].first >= sc->stsc_data[i+1].first) || if ((i+1 < sc->stsc_count && sc->stsc_data[i].first >= sc->stsc_data[i+1].first) ||
(i > 0 && sc->stsc_data[i].first <= sc->stsc_data[i-1].first) || (i > 0 && sc->stsc_data[i].first <= sc->stsc_data[i-1].first) ||
sc->stsc_data[i].first < 1 || sc->stsc_data[i].first < first_min ||
sc->stsc_data[i].count < 1 || sc->stsc_data[i].count < 1 ||
sc->stsc_data[i].id < 1) { sc->stsc_data[i].id < 1) {
av_log(c->fc, AV_LOG_WARNING, "STSC entry %d is invalid (first=%d count=%d id=%d)\n", i, sc->stsc_data[i].first, sc->stsc_data[i].count, sc->stsc_data[i].id); av_log(c->fc, AV_LOG_WARNING, "STSC entry %d is invalid (first=%d count=%d id=%d)\n", i, sc->stsc_data[i].first, sc->stsc_data[i].count, sc->stsc_data[i].id);
if (i+1 >= sc->stsc_count || sc->stsc_data[i+1].first < 2) if (i+1 >= sc->stsc_count) {
return AVERROR_INVALIDDATA; sc->stsc_data[i].first = FFMAX(sc->stsc_data[i].first, first_min);
if (i > 0 && sc->stsc_data[i].first <= sc->stsc_data[i-1].first)
sc->stsc_data[i].first = FFMIN(sc->stsc_data[i-1].first + 1LL, INT_MAX);
sc->stsc_data[i].count = FFMAX(sc->stsc_data[i].count, 1);
sc->stsc_data[i].id = FFMAX(sc->stsc_data[i].id, 1);
continue;
}
av_assert0(sc->stsc_data[i+1].first >= 2);
// We replace this entry by the next valid // We replace this entry by the next valid
sc->stsc_data[i].first = sc->stsc_data[i+1].first - 1; sc->stsc_data[i].first = sc->stsc_data[i+1].first - 1;
sc->stsc_data[i].count = sc->stsc_data[i+1].count; sc->stsc_data[i].count = sc->stsc_data[i+1].count;