virtualenv/FFmpeg
1
0
Fork 0
mirror of https://github.com/FFmpeg/FFmpeg.git synced 2024-12-23 12:43:46 +02:00
Code Issues Releases Activity

Avoid OOM for invalid STCO / CO64 constructions.

Browse Source 
The `entries` value is read directly from the stream and used to
allocate memory. This change clamps `entries` to however many are
possible in the remaining atom or file size (whichever is smallest).

Fixes https://crbug.com/1429357

Signed-off-by: Dale Curtis <dalecurtis@chromium.org>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This commit is contained in:
Dale Curtis 2024-02-02 20:49:44 +00:00 committed by Michael Niedermayer
parent a3f69cdec7
commit 6ef32ea574
No known key found for this signature in database
GPG Key ID: B18E8928B3948D64
1 changed files with 7 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
libavformat/mov.c
View File

@ -2362,7 +2362,13 @@ static int mov_read_stco(MOVContext *c, AVIOContext *pb, MOVAtom atom)
avio_r8(pb); /* version */ avio_r8(pb); /* version */
avio_rb24(pb); /* flags */ avio_rb24(pb); /* flags */
// Clamp allocation size for `chunk_offsets` -- don't throw an error for an
// invalid count since the EOF path doesn't throw either.
entries = avio_rb32(pb); entries = avio_rb32(pb);
entries =
FFMIN(entries,
FFMAX(0, (atom.size - 8) /
(atom.type == MKTAG('s', 't', 'c', 'o') ? 4 : 8)));
if (!entries) if (!entries)
return 0; return 0;
@ -2371,6 +2377,7 @@ static int mov_read_stco(MOVContext *c, AVIOContext *pb, MOVAtom atom)
av_log(c->fc, AV_LOG_WARNING, "Ignoring duplicated STCO atom\n"); av_log(c->fc, AV_LOG_WARNING, "Ignoring duplicated STCO atom\n");
return 0; return 0;
} }
av_free(sc->chunk_offsets); av_free(sc->chunk_offsets);
sc->chunk_count = 0; sc->chunk_count = 0;
sc->chunk_offsets = av_malloc_array(entries, sizeof(*sc->chunk_offsets)); sc->chunk_offsets = av_malloc_array(entries, sizeof(*sc->chunk_offsets));