lavf/mov: don't read outside frag_index bounds

Potentially fixes: https://bugs.chromium.org/p/chromium/issues/detail?id=786269#c1 In theory, the crash can be triggered by an invalid stream that has either tfdt or trun outside of the moof Reviewed-by: Dale Curtis <dalecurtis@chromium.org> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
author: John Stebbins <jstebbins@jetheaddev.com> 2017-11-17 08:21:02 -0800
committer: Michael Niedermayer <michael@niedermayer.cc> 2017-11-18 11:57:57 +0100
commit: 20c38f2e7085ce02c19df965d02ecdf5628f11b8 (patch)
tree: 1dc74b1b08fd2bf6efc7292127799d03dc5de50a /libavformat/mov.c
parent: 5eaaffaf64d1854493f0fe9ec822eed1b3cd9fe1 (diff)
1 files changed, 4 insertions, 0 deletions
diff --git a/libavformat/mov.c b/libavformat/mov.c
index 3eef043046..5c9f926bce 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -1188,6 +1188,10 @@ static void set_frag_stream(MOVFragmentIndex *frag_index, int id)
 static MOVFragmentStreamInfo * get_current_frag_stream_info(
     MOVFragmentIndex *frag_index)
 {
+    if (frag_index->current < 0 ||
+        frag_index->current >= frag_index->nb_items)
+        return NULL;
+
     MOVFragmentIndexItem * item = &frag_index->item[frag_index->current];
     if (item->current >= 0 && item->current < item->nb_stream_info)
         return &item->stream_info[item->current];
author	John Stebbins <jstebbins@jetheaddev.com>	2017-11-17 08:21:02 -0800
committer	Michael Niedermayer <michael@niedermayer.cc>	2017-11-18 11:57:57 +0100
commit	20c38f2e7085ce02c19df965d02ecdf5628f11b8 (patch)
tree	1dc74b1b08fd2bf6efc7292127799d03dc5de50a /libavformat/mov.c
parent	5eaaffaf64d1854493f0fe9ec822eed1b3cd9fe1 (diff)