avformat/mov: Check sample size
authorMichael Niedermayer <michael@niedermayer.cc>
Tue, 28 Jun 2016 21:49:36 +0000 (23:49 +0200)
committerMichael Niedermayer <michael@niedermayer.cc>
Wed, 29 Jun 2016 18:00:49 +0000 (20:00 +0200)
Fixes integer overflow
Fixes: poc.mp4

Found-by: ajax secure <ajax4sec@hotmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 8a3221cc67a516dfc1700bdae3566ec52c7ee823)

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
libavformat/mov.c

index c7caf80..33ee799 100644 (file)
@@ -2843,7 +2843,12 @@ static void mov_build_index(MOVContext *mov, AVStream *st)
                 sample_size = sc->stsz_sample_size > 0 ? sc->stsz_sample_size : sc->sample_sizes[current_sample];
                 if (sc->pseudo_stream_id == -1 ||
                    sc->stsc_data[stsc_index].id - 1 == sc->pseudo_stream_id) {
-                    AVIndexEntry *e = &st->index_entries[st->nb_index_entries++];
+                    AVIndexEntry *e;
+                    if (sample_size > 0x3FFFFFFF) {
+                        av_log(mov->fc, AV_LOG_ERROR, "Sample size %u is too large\n", sample_size);
+                        return;
+                    }
+                    e = &st->index_entries[st->nb_index_entries++];
                     e->pos = current_offset;
                     e->timestamp = current_dts;
                     e->size = sample_size;
@@ -2968,6 +2973,10 @@ static void mov_build_index(MOVContext *mov, AVStream *st)
                     av_log(mov->fc, AV_LOG_ERROR, "wrong chunk count %d\n", total);
                     return;
                 }
+                if (size > 0x3FFFFFFF) {
+                    av_log(mov->fc, AV_LOG_ERROR, "Sample size %u is too large\n", size);
+                    return;
+                }
                 e = &st->index_entries[st->nb_index_entries++];
                 e->pos = current_offset;
                 e->timestamp = current_dts;