avformat/mov: Fix crash with too big STSZ atoms

mov_read_stsz() did not ensure that every bit of a buffer is addressable by an int as is required by the get_bits API, leading to a crash in ticket #9344. Fix this by restricting the size more thoroughly. The file from said ticket will then be considered invalid; in the future, we might read and process the data in chunks to actually support such files. Fixes ticket #9344. Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
author: Andreas Rheinhardt <andreas.rheinhardt@outlook.com> 2021-07-24 05:43:12 +0200
committer: Andreas Rheinhardt <andreas.rheinhardt@outlook.com> 2021-07-28 22:26:54 +0200
commit: c2d853c1aae22bbc7d9905c43a9f16cb2ba3ba33 (patch)
tree: 7cb03d16d4e9fb45042362cec73dccfb90354c22 /libavformat
parent: f0ed8de1d6a87648ba71ed05a338ab69aac0ac50 (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/libavformat/mov.c b/libavformat/mov.c
index 139bcb4b5c..a847003dc2 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -2856,7 +2856,7 @@ static int mov_read_stsz(MOVContext *c, AVIOContext *pb, MOVAtom atom)
 
     if (!entries)
         return 0;
-    if (entries >= (UINT_MAX - 4) / field_size)
+    if (entries >= (INT_MAX - 4 - 8 * AV_INPUT_BUFFER_PADDING_SIZE) / field_size)
         return AVERROR_INVALIDDATA;
     if (sc->sample_sizes)
         av_log(c->fc, AV_LOG_WARNING, "Duplicated STSZ atom\n");
author	Andreas Rheinhardt <andreas.rheinhardt@outlook.com>	2021-07-24 05:43:12 +0200
committer	Andreas Rheinhardt <andreas.rheinhardt@outlook.com>	2021-07-28 22:26:54 +0200
commit	c2d853c1aae22bbc7d9905c43a9f16cb2ba3ba33 (patch)
tree	7cb03d16d4e9fb45042362cec73dccfb90354c22 /libavformat
parent	f0ed8de1d6a87648ba71ed05a338ab69aac0ac50 (diff)