qt-faststart: Check offset_count before reading from the moov_atom buffer
authorMichael Niedermayer <michaelni@gmx.at>
Thu, 13 Dec 2012 14:07:20 +0000 (15:07 +0100)
committerMartin Storsjö <martin@martin.st>
Fri, 28 Feb 2014 22:25:04 +0000 (00:25 +0200)
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
tools/qt-faststart.c

index 5c511a0154816d461080e9a0c38b09c3482492d3..792c27219367bf2a300489968dde12a706cd2808 100644 (file)
@@ -239,6 +239,10 @@ int main(int argc, char *argv[])
                 goto error_out;
             }
             offset_count = BE_32(&moov_atom[i + 8]);
+            if (i + 12 + offset_count * UINT64_C(4) > moov_atom_size) {
+                printf(" bad atom size/element count\n");
+                goto error_out;
+            }
             for (j = 0; j < offset_count; j++) {
                 current_offset  = BE_32(&moov_atom[i + 12 + j * 4]);
                 current_offset += moov_atom_size;
@@ -256,6 +260,10 @@ int main(int argc, char *argv[])
                 goto error_out;
             }
             offset_count = BE_32(&moov_atom[i + 8]);
+            if (i + 12 + offset_count * UINT64_C(8) > moov_atom_size) {
+                printf(" bad atom size/element count\n");
+                goto error_out;
+            }
             for (j = 0; j < offset_count; j++) {
                 current_offset  = BE_64(&moov_atom[i + 12 + j * 8]);
                 current_offset += moov_atom_size;