Fixes assertion failure
Fixes: crbug 822547, crbug 822666 and crbug 823009
Affects: aark15sd_9A62E2FA.mp4
Found-by: ClusterFuzz
Reviewed-by: Matt Wolenetz
Signed-off-by: Michael Niedermayer
---
libavformat/mov.c | 20
1 file changed, 20 insertions(+)
diff --git a/libavformat/mov.c b/libavformat/mov.c
index 232e59887e..075e833bad 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -2655,6 +2655,21 @@ static int mov_read_stsc(MOVContext *c, AVIOContext *pb,
MOVAtom atom)
}
sc->stsc_count = i;
+for (i = sc->stsc_count - 1; i < UINT_MAX; i--) {
+if ((i+1 < sc->stsc_count && sc->stsc_data[i].first >=
sc->stsc_data[i+1].first) ||
+(i > 0 && sc->stsc_data[i].first <= sc->stsc_data[i-1].first) ||
+sc->stsc_data[i].first < 1 ||
+sc->stsc_data[i].count < 1 ||
+sc->stsc_data[i].id < 1) {
+av_log(c->fc, AV_LOG_WARNING, "STSC entry %d is invalid (first=%d
count=%d id=%d)\n", i, sc->stsc_data[i].first, sc->stsc_data[i].count,
sc->stsc_data[i].id);
+if (i+1 >= sc->stsc_count || sc->stsc_data[i+1].first < 2)
+return AVERROR_INVALIDDATA;
+// We replace this entry by the next valid
+sc->stsc_data[i].first = sc->stsc_data[i+1].first - 1;
+sc->stsc_data[i].count = sc->stsc_data[i+1].count;
+sc->stsc_data[i].id= sc->stsc_data[i+1].id;
+}
+}
if (pb->eof_reached) {
av_log(c->fc, AV_LOG_WARNING, "reached eof, corrupted STSC atom\n");
@@ -4144,6 +4159,11 @@ static int mov_read_trak(MOVContext *c, AVIOContext *pb,
MOVAtom atom)
st->index);
return 0;
}
+if (sc->stsc_count && sc->stsc_data[ sc->stsc_count - 1 ].first >
sc->chunk_count) {
+av_log(c->fc, AV_LOG_ERROR, "stream %d, contradictionary STSC and
STCO\n",
+ st->index);
+return AVERROR_INVALIDDATA;
+}
fix_timescale(c, sc);
--
2.16.2
___
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-devel
