Hi,

the fuzzed file from ticket #3866 somehow ends on reading a dref atom,
where a size element is not validated. The reading then skips that
arbitrary amount without reporting an issue.

I'm not sure it is the best fix, but I don't think this could happen
in any valid file, nor it would help to swallow the error.

-- 
Christophe
From dacdd50379af1bcb3dab2ce813124cfc577adace Mon Sep 17 00:00:00 2001
From: Christophe Gisquet <christophe.gisq...@gmail.com>
Date: Thu, 21 Aug 2014 12:59:10 +0200
Subject: [PATCH] mov: better check dref atome validity

The size of each entry helps determining whether it would cause overreads
and thus if this size, and the atom, is valid.

Should fix ticket #3866.
---
 libavformat/mov.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/libavformat/mov.c b/libavformat/mov.c
index 1255824..586fcd0 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -423,6 +423,7 @@ static int mov_read_dref(MOVContext *c, AVIOContext *pb, MOVAtom atom)
     AVStream *st;
     MOVStreamContext *sc;
     int entries, i, j;
+    int64_t end = avio_tell(pb) + atom.size;
 
     if (c->fc->nb_streams < 1)
         return 0;
@@ -446,7 +447,7 @@ static int mov_read_dref(MOVContext *c, AVIOContext *pb, MOVAtom atom)
         uint32_t size = avio_rb32(pb);
         int64_t next = avio_tell(pb) + size - 4;
 
-        if (size < 12)
+        if (size < 12 || next > end)
             return AVERROR_INVALIDDATA;
 
         dref->type = avio_rl32(pb);
-- 
1.9.2.msysgit.0

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-devel

Reply via email to