virtualenv/FFmpeg
1
0
Fork 0
mirror of https://github.com/FFmpeg/FFmpeg.git synced 2025-01-19 05:49:09 +02:00
Code Issues Releases Activity

avformat/mov: validate chunk_count vs stsc_data

Browse Source 
Bad content may contain stsc boxes with a first_chunk index that
exceeds stco.entries (chunk_count). This ammends the existing check to
include cases where chunk_count == 0. It also patches up the case
when stsc refers to unknown chunks, but stts has no samples (so we
can simply ignore stsc).

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 1c15449ca9a5bfa387868ac55628397273da761f)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This commit is contained in:
chcunningham 2019-02-07 14:58:17 -08:00 committed by Michael Niedermayer
parent 0063964f84
commit 08b159fd0d
1 changed files with 12 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
libavformat/mov.c
View File

@ -2496,8 +2496,11 @@ static inline int64_t mov_get_stsc_samples(MOVStreamContext *sc, unsigned int in
if (mov_stsc_index_valid(index, sc->stsc_count))
chunk_count = sc->stsc_data[index + 1].first - sc->stsc_data[index].first;
else
else {
// Validation for stsc / stco happens earlier in mov_read_stsc + mov_read_trak.
av_assert0(sc->stsc_data[index].first <= sc->chunk_count);
chunk_count = sc->chunk_count - (sc->stsc_data[index].first - 1);
}
return sc->stsc_data[index].count * (int64_t)chunk_count;
}
@ -3822,6 +3825,13 @@ static int mov_read_trak(MOVContext *c, AVIOContext *pb, MOVAtom atom)
c->trak_index = -1;
// Here stsc refers to a chunk not described in stco. This is technically invalid,
// but we can overlook it (clearing stsc) whenever stts_count == 0 (indicating no samples).
if (!sc->chunk_count && !sc->stts_count && sc->stsc_count) {
sc->stsc_count = 0;
av_freep(&sc->stsc_data);
}
/* sanity checks */
if ((sc->chunk_count && (!sc->stts_count || !sc->stsc_count ||
(!sc->sample_size && !sc->sample_count))) ||
@ -3830,7 +3840,7 @@ static int mov_read_trak(MOVContext *c, AVIOContext *pb, MOVAtom atom)
st->index);
return 0;
}
if (sc->chunk_count && sc->stsc_count && sc->stsc_data[ sc->stsc_count - 1 ].first > sc->chunk_count) {
if (sc->stsc_count && sc->stsc_data[ sc->stsc_count - 1 ].first > sc->chunk_count) {
av_log(c->fc, AV_LOG_ERROR, "stream %d, contradictionary STSC and STCO\n",
st->index);
return AVERROR_INVALIDDATA;