diff options
author | Andreas Rheinhardt <andreas.rheinhardt@outlook.com> | 2021-07-24 05:43:12 +0200 |
---|---|---|
committer | Andreas Rheinhardt <andreas.rheinhardt@outlook.com> | 2021-07-28 22:26:54 +0200 |
commit | c2d853c1aae22bbc7d9905c43a9f16cb2ba3ba33 (patch) | |
tree | 7cb03d16d4e9fb45042362cec73dccfb90354c22 | |
parent | f0ed8de1d6a87648ba71ed05a338ab69aac0ac50 (diff) |
avformat/mov: Fix crash with too big STSZ atoms
mov_read_stsz() did not ensure that every bit of a buffer is addressable
by an int as is required by the get_bits API, leading to a crash in
ticket #9344. Fix this by restricting the size more thoroughly.
The file from said ticket will then be considered invalid; in the
future, we might read and process the data in chunks to actually support
such files.
Fixes ticket #9344.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
-rw-r--r-- | libavformat/mov.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/libavformat/mov.c b/libavformat/mov.c index 139bcb4b5c..a847003dc2 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -2856,7 +2856,7 @@ static int mov_read_stsz(MOVContext *c, AVIOContext *pb, MOVAtom atom) if (!entries) return 0; - if (entries >= (UINT_MAX - 4) / field_size) + if (entries >= (INT_MAX - 4 - 8 * AV_INPUT_BUFFER_PADDING_SIZE) / field_size) return AVERROR_INVALIDDATA; if (sc->sample_sizes) av_log(c->fc, AV_LOG_WARNING, "Duplicated STSZ atom\n"); |