qt-faststart - stricter input validations

1. validate the moov size before checking for cmov atom 2. avoid performing arithmetic operations on unvalidated numbers 3. verify the stco/co64 offset count does not overflow the stco/co64 atom (not only the moov atom) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
author: erankor <eran.kornblau@kaltura.com> 2018-05-29 16:18:05 +0300
committer: Michael Niedermayer <michael@niedermayer.cc> 2018-05-30 02:42:10 +0200
commit: 500e6387116230c905b7a39baae7aa86d627a446 (patch)
tree: 354497fd210bdd9282be925fc642753a20efb173 /tools/qt-faststart.c
parent: a9dacdeea6168787a142209bd19fdd74aefc9dd6 (diff)
1 files changed, 9 insertions, 4 deletions
diff --git a/tools/qt-faststart.c b/tools/qt-faststart.c
index 97be019c58..d0ae7245f3 100644
--- a/tools/qt-faststart.c
+++ b/tools/qt-faststart.c
@@ -200,6 +200,11 @@ int main(int argc, char *argv[])
         return 0;
     }
 
+    if (atom_size < 16) {
+        printf("bad moov atom size\n");
+        goto error_out;
+    }
+
     /* moov atom was, in fact, the last atom in the chunk; load the whole
      * moov atom */
     if (fseeko(infile, -atom_size, SEEK_END)) {
@@ -239,12 +244,12 @@ int main(int argc, char *argv[])
         if (atom_type == STCO_ATOM) {
             printf(" patching stco atom...\n");
             atom_size = BE_32(&moov_atom[i - 4]);
-            if (i + atom_size - 4 > moov_atom_size) {
+            if (atom_size < 16 || atom_size > moov_atom_size - i + 4) {
                 printf(" bad atom size\n");
                 goto error_out;
             }
             offset_count = BE_32(&moov_atom[i + 8]);
-            if (i + 12 + offset_count * UINT64_C(4) > moov_atom_size) {
+            if (offset_count > (atom_size - 16) / 4) {
                 printf(" bad atom size/element count\n");
                 goto error_out;
             }
@@ -260,12 +265,12 @@ int main(int argc, char *argv[])
         } else if (atom_type == CO64_ATOM) {
             printf(" patching co64 atom...\n");
             atom_size = BE_32(&moov_atom[i - 4]);
-            if (i + atom_size - 4 > moov_atom_size) {
+            if (atom_size < 16 || atom_size > moov_atom_size - i + 4) {
                 printf(" bad atom size\n");
                 goto error_out;
             }
             offset_count = BE_32(&moov_atom[i + 8]);
-            if (i + 12 + offset_count * UINT64_C(8) > moov_atom_size) {
+            if (offset_count > (atom_size - 16) / 8) {
                 printf(" bad atom size/element count\n");
                 goto error_out;
             }
author	erankor <eran.kornblau@kaltura.com>	2018-05-29 16:18:05 +0300
committer	Michael Niedermayer <michael@niedermayer.cc>	2018-05-30 02:42:10 +0200
commit	500e6387116230c905b7a39baae7aa86d627a446 (patch)
tree	354497fd210bdd9282be925fc642753a20efb173 /tools/qt-faststart.c
parent	a9dacdeea6168787a142209bd19fdd74aefc9dd6 (diff)