On 2012-11-27 12:24:51 +0100, Janne Grunau wrote:
> Avoids a 2G memory allocation and parsing of random data in
> mov_read_dref(). The fuzzed sample sample.mp4_s224424 triggers this.
> ---
>
> err, now the correct patch. git send-email only works after
> git commit --amend as intended.
>
> libavformat/mov.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/libavformat/mov.c b/libavformat/mov.c
> index a80bf5b..0c9dd8d 100644
> --- a/libavformat/mov.c
> +++ b/libavformat/mov.c
> @@ -351,6 +351,7 @@ static int mov_read_chpl(MOVContext *c, AVIOContext *pb,
> MOVAtom atom)
> return 0;
> }
>
> +#define MIN_DATA_ENTRY_BOX_SIZE 12
> static int mov_read_dref(MOVContext *c, AVIOContext *pb, MOVAtom atom)
> {
> AVStream *st;
> @@ -364,7 +365,8 @@ static int mov_read_dref(MOVContext *c, AVIOContext *pb,
> MOVAtom atom)
>
> avio_rb32(pb); // version + flags
> entries = avio_rb32(pb);
> - if (entries >= UINT_MAX / sizeof(*sc->drefs))
> + if (entries > (atom.size - 1) / MIN_DATA_ENTRY_BOX_SIZE + 1 ||
> + entries >= UINT_MAX / sizeof(*sc->drefs))
> return AVERROR_INVALIDDATA;
> av_free(sc->drefs);
> sc->drefs = av_mallocz(entries * sizeof(*sc->drefs));
ping
Janne
_______________________________________________
libav-devel mailing list
libav-devel@libav.org
https://lists.libav.org/mailman/listinfo/libav-devel
