Module: libav Branch: release/9 Commit: cb95c1935f43ee6ae7fd15439df0f674e809f180
Author: Michael Niedermayer <[email protected]> Committer: Reinhard Tartler <[email protected]> Date: Thu Dec 13 15:07:20 2012 +0100 qt-faststart: Check offset_count before reading from the moov_atom buffer CC: [email protected] Signed-off-by: Martin Storsjö <[email protected]> (cherry picked from commit bb95334c34d0d9abccea370ae25c4765d7764ab8) (cherry picked from commit 7754d4838178a5c09c3c3953bb2b90d1abc639e3) --- tools/qt-faststart.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/tools/qt-faststart.c b/tools/qt-faststart.c index f33d6fa..47f5c73 100644 --- a/tools/qt-faststart.c +++ b/tools/qt-faststart.c @@ -225,6 +225,10 @@ int main(int argc, char *argv[]) goto error_out; } offset_count = BE_32(&moov_atom[i + 8]); + if (i + 12 + offset_count * UINT64_C(4) > moov_atom_size) { + printf(" bad atom size/element count\n"); + goto error_out; + } for (j = 0; j < offset_count; j++) { current_offset = BE_32(&moov_atom[i + 12 + j * 4]); current_offset += moov_atom_size; @@ -242,6 +246,10 @@ int main(int argc, char *argv[]) goto error_out; } offset_count = BE_32(&moov_atom[i + 8]); + if (i + 12 + offset_count * UINT64_C(8) > moov_atom_size) { + printf(" bad atom size/element count\n"); + goto error_out; + } for (j = 0; j < offset_count; j++) { current_offset = BE_64(&moov_atom[i + 12 + j * 8]); current_offset += moov_atom_size; _______________________________________________ libav-commits mailing list [email protected] https://lists.libav.org/mailman/listinfo/libav-commits
