[FFmpeg-cvslog] qt-faststart: Check offset_count before reading from the moov_atom buffer

Michael Niedermayer git at videolan.org
Mon Apr 21 14:02:24 CEST 2014


ffmpeg | branch: release/1.1 | Michael Niedermayer <michaelni at gmx.at> | Thu Dec 13 15:07:20 2012 +0100| [cb95c1935f43ee6ae7fd15439df0f674e809f180] | committer: Reinhard Tartler

qt-faststart: Check offset_count before reading from the moov_atom buffer

CC: libav-stable at libav.org
Signed-off-by: Martin Storsjö <martin at martin.st>
(cherry picked from commit bb95334c34d0d9abccea370ae25c4765d7764ab8)
(cherry picked from commit 7754d4838178a5c09c3c3953bb2b90d1abc639e3)

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=cb95c1935f43ee6ae7fd15439df0f674e809f180
---

 tools/qt-faststart.c |    8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/tools/qt-faststart.c b/tools/qt-faststart.c
index f33d6fa..47f5c73 100644
--- a/tools/qt-faststart.c
+++ b/tools/qt-faststart.c
@@ -225,6 +225,10 @@ int main(int argc, char *argv[])
                 goto error_out;
             }
             offset_count = BE_32(&moov_atom[i + 8]);
+            if (i + 12 + offset_count * UINT64_C(4) > moov_atom_size) {
+                printf(" bad atom size/element count\n");
+                goto error_out;
+            }
             for (j = 0; j < offset_count; j++) {
                 current_offset  = BE_32(&moov_atom[i + 12 + j * 4]);
                 current_offset += moov_atom_size;
@@ -242,6 +246,10 @@ int main(int argc, char *argv[])
                 goto error_out;
             }
             offset_count = BE_32(&moov_atom[i + 8]);
+            if (i + 12 + offset_count * UINT64_C(8) > moov_atom_size) {
+                printf(" bad atom size/element count\n");
+                goto error_out;
+            }
             for (j = 0; j < offset_count; j++) {
                 current_offset  = BE_64(&moov_atom[i + 12 + j * 8]);
                 current_offset += moov_atom_size;



More information about the ffmpeg-cvslog mailing list