har0ke/FFmpeg
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

qt-faststart: Check offset_count before reading from the moov_atom buffer

Browse Source 
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
This commit is contained in:
Michael Niedermayer 2012-12-13 15:07:20 +01:00 committed by Martin Storsjö
parent 6384885425
commit bb95334c34
1 changed files with 8 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
tools/qt-faststart.c
View File

@ -239,6 +239,10 @@ int main(int argc, char *argv[])
goto error_out; goto error_out;
} }
offset_count = BE_32(&moov_atom[i + 8]); offset_count = BE_32(&moov_atom[i + 8]);
if (i + 12 + offset_count * UINT64_C(4) > moov_atom_size) {
printf(" bad atom size/element count\n");
goto error_out;
}
for (j = 0; j < offset_count; j++) { for (j = 0; j < offset_count; j++) {
current_offset = BE_32(&moov_atom[i + 12 + j * 4]); current_offset = BE_32(&moov_atom[i + 12 + j * 4]);
current_offset += moov_atom_size; current_offset += moov_atom_size;
@ -256,6 +260,10 @@ int main(int argc, char *argv[])
goto error_out; goto error_out;
} }
offset_count = BE_32(&moov_atom[i + 8]); offset_count = BE_32(&moov_atom[i + 8]);
if (i + 12 + offset_count * UINT64_C(8) > moov_atom_size) {
printf(" bad atom size/element count\n");
goto error_out;
}
for (j = 0; j < offset_count; j++) { for (j = 0; j < offset_count; j++) {
current_offset = BE_64(&moov_atom[i + 12 + j * 8]); current_offset = BE_64(&moov_atom[i + 12 + j * 8]);
current_offset += moov_atom_size; current_offset += moov_atom_size;