From 53e099de8b3206af78312c00308225a558fffbef Mon Sep 17 00:00:00 2001
From: Baptiste Coudurier <baptiste.coudurier@gmail.com>
Date: Mon, 15 Jun 2009 02:07:41 +0000
Subject: check atom size against edit_count to avoid very long loop

Originally committed as revision 19198 to svn://svn.ffmpeg.org/ffmpeg/trunk
---
 libavformat/mov.c | 3 +++
 1 file changed, 3 insertions(+)

(limited to 'libavformat/mov.c')

diff --git a/libavformat/mov.c b/libavformat/mov.c
index af94394516..19e39339c8 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -1831,6 +1831,9 @@ static int mov_read_elst(MOVContext *c, ByteIOContext *pb, MOVAtom atom)
     get_be24(pb); /* flags */
     edit_count = get_be32(pb); /* entries */
 
+    if((uint64_t)edit_count*12+8 > atom.size)
+        return -1;
+
     for(i=0; i<edit_count; i++){
         int time;
         int duration = get_be32(pb); /* Track duration */
-- 
cgit v1.2.3