Hi,
the fuzzed file from ticket #3866 somehow ends on reading a dref atom,
where a size element is not validated. The reading then skips that
arbitrary amount without reporting an issue.
I'm not sure it is the best fix, but I don't think this could happen
in any valid file, nor it would help to swallow the error.
--
Christophe
From dacdd50379af1bcb3dab2ce813124cfc577adace Mon Sep 17 00:00:00 2001
From: Christophe Gisquet <christophe.gisq...@gmail.com>
Date: Thu, 21 Aug 2014 12:59:10 +0200
Subject: [PATCH] mov: better check dref atome validity
The size of each entry helps determining whether it would cause overreads
and thus if this size, and the atom, is valid.
Should fix ticket #3866.
---
libavformat/mov.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/libavformat/mov.c b/libavformat/mov.c
index 1255824..586fcd0 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -423,6 +423,7 @@ static int mov_read_dref(MOVContext *c, AVIOContext *pb, MOVAtom atom)
AVStream *st;
MOVStreamContext *sc;
int entries, i, j;
+ int64_t end = avio_tell(pb) + atom.size;
if (c->fc->nb_streams < 1)
return 0;
@@ -446,7 +447,7 @@ static int mov_read_dref(MOVContext *c, AVIOContext *pb, MOVAtom atom)
uint32_t size = avio_rb32(pb);
int64_t next = avio_tell(pb) + size - 4;
- if (size < 12)
+ if (size < 12 || next > end)
return AVERROR_INVALIDDATA;
dref->type = avio_rl32(pb);
--
1.9.2.msysgit.0
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-devel
