mirror of
https://github.com/FFmpeg/FFmpeg.git
synced 2025-03-28 12:32:17 +02:00
avformat/mov: Fix crash with too big STSZ atoms
mov_read_stsz() did not ensure that every bit of a buffer is addressable by an int as is required by the get_bits API, leading to a crash in ticket #9344. Fix this by restricting the size more thoroughly. The file from said ticket will then be considered invalid; in the future, we might read and process the data in chunks to actually support such files. Fixes ticket #9344. Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
This commit is contained in:
parent
f0ed8de1d6
commit
c2d853c1aa
@ -2856,7 +2856,7 @@ static int mov_read_stsz(MOVContext *c, AVIOContext *pb, MOVAtom atom)
|
||||
|
||||
if (!entries)
|
||||
return 0;
|
||||
if (entries >= (UINT_MAX - 4) / field_size)
|
||||
if (entries >= (INT_MAX - 4 - 8 * AV_INPUT_BUFFER_PADDING_SIZE) / field_size)
|
||||
return AVERROR_INVALIDDATA;
|
||||
if (sc->sample_sizes)
|
||||
av_log(c->fc, AV_LOG_WARNING, "Duplicated STSZ atom\n");
|
||||
|
Loading…
x
Reference in New Issue
Block a user