On 2012-11-27 12:24:51 +0100, Janne Grunau wrote: > Avoids a 2G memory allocation and parsing of random data in > mov_read_dref(). The fuzzed sample sample.mp4_s224424 triggers this. > --- > > err, now the correct patch. git send-email only works after > git commit --amend as intended. > > libavformat/mov.c | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) > > diff --git a/libavformat/mov.c b/libavformat/mov.c > index a80bf5b..0c9dd8d 100644 > --- a/libavformat/mov.c > +++ b/libavformat/mov.c > @@ -351,6 +351,7 @@ static int mov_read_chpl(MOVContext *c, AVIOContext *pb, > MOVAtom atom) > return 0; > } > > +#define MIN_DATA_ENTRY_BOX_SIZE 12 > static int mov_read_dref(MOVContext *c, AVIOContext *pb, MOVAtom atom) > { > AVStream *st; > @@ -364,7 +365,8 @@ static int mov_read_dref(MOVContext *c, AVIOContext *pb, > MOVAtom atom) > > avio_rb32(pb); // version + flags > entries = avio_rb32(pb); > - if (entries >= UINT_MAX / sizeof(*sc->drefs)) > + if (entries > (atom.size - 1) / MIN_DATA_ENTRY_BOX_SIZE + 1 || > + entries >= UINT_MAX / sizeof(*sc->drefs)) > return AVERROR_INVALIDDATA; > av_free(sc->drefs); > sc->drefs = av_mallocz(entries * sizeof(*sc->drefs));
ping Janne _______________________________________________ libav-devel mailing list libav-devel@libav.org https://lists.libav.org/mailman/listinfo/libav-devel