Hi, the fuzzed file from ticket #3866 somehow ends on reading a dref atom, where a size element is not validated. The reading then skips that arbitrary amount without reporting an issue.
I'm not sure it is the best fix, but I don't think this could happen in any valid file, nor it would help to swallow the error. -- Christophe
From dacdd50379af1bcb3dab2ce813124cfc577adace Mon Sep 17 00:00:00 2001 From: Christophe Gisquet <christophe.gisq...@gmail.com> Date: Thu, 21 Aug 2014 12:59:10 +0200 Subject: [PATCH] mov: better check dref atome validity The size of each entry helps determining whether it would cause overreads and thus if this size, and the atom, is valid. Should fix ticket #3866. --- libavformat/mov.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index 1255824..586fcd0 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -423,6 +423,7 @@ static int mov_read_dref(MOVContext *c, AVIOContext *pb, MOVAtom atom) AVStream *st; MOVStreamContext *sc; int entries, i, j; + int64_t end = avio_tell(pb) + atom.size; if (c->fc->nb_streams < 1) return 0; @@ -446,7 +447,7 @@ static int mov_read_dref(MOVContext *c, AVIOContext *pb, MOVAtom atom) uint32_t size = avio_rb32(pb); int64_t next = avio_tell(pb) + size - 4; - if (size < 12) + if (size < 12 || next > end) return AVERROR_INVALIDDATA; dref->type = avio_rl32(pb); -- 1.9.2.msysgit.0
_______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-devel