[FFmpeg-cvslog] lavf/mov: don't read outside frag_index bounds

John Stebbins git at videolan.org
Sat Nov 18 12:59:01 EET 2017


ffmpeg | branch: master | John Stebbins <jstebbins at jetheaddev.com> | Fri Nov 17 08:21:02 2017 -0800| [20c38f2e7085ce02c19df965d02ecdf5628f11b8] | committer: Michael Niedermayer

lavf/mov: don't read outside frag_index bounds

Potentially fixes:
https://bugs.chromium.org/p/chromium/issues/detail?id=786269#c1

In theory, the crash can be triggered by an invalid stream that has
either tfdt or trun outside of the moof

Reviewed-by: Dale Curtis <dalecurtis at chromium.org>
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=20c38f2e7085ce02c19df965d02ecdf5628f11b8
---

 libavformat/mov.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/libavformat/mov.c b/libavformat/mov.c
index 3eef043046..5c9f926bce 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -1188,6 +1188,10 @@ static void set_frag_stream(MOVFragmentIndex *frag_index, int id)
 static MOVFragmentStreamInfo * get_current_frag_stream_info(
     MOVFragmentIndex *frag_index)
 {
+    if (frag_index->current < 0 ||
+        frag_index->current >= frag_index->nb_items)
+        return NULL;
+
     MOVFragmentIndexItem * item = &frag_index->item[frag_index->current];
     if (item->current >= 0 && item->current < item->nb_stream_info)
         return &item->stream_info[item->current];



More information about the ffmpeg-cvslog mailing list