[libav-devel] [PATCH 6/8] qt-faststart: Check offset_count before reading from the moov_atom buffer

Martin Storsjö Fri, 28 Feb 2014 02:30:07 -0800

From: Michael Niedermayer <[email protected]>

CC: [email protected]
---
 tools/qt-faststart.c | 8 ++++++++
 1 file changed, 8 insertions(+)


diff --git a/tools/qt-faststart.c b/tools/qt-faststart.c
index d95feb1..b4a6555 100644
--- a/tools/qt-faststart.c
+++ b/tools/qt-faststart.c
@@ -235,6 +235,10 @@ int main(int argc, char *argv[])
                 goto error_out;
             }
             offset_count = BE_32(&moov_atom[i + 8]);
+            if (i + INT64_C(12) + offset_count * INT64_C(4) > moov_atom_size) {
+                printf(" bad atom size/element count\n");
+                goto error_out;
+            }
             for (j = 0; j < offset_count; j++) {
                 current_offset  = BE_32(&moov_atom[i + 12 + j * 4]);
                 current_offset += moov_atom_size;
@@ -252,6 +256,10 @@ int main(int argc, char *argv[])
                 goto error_out;
             }
             offset_count = BE_32(&moov_atom[i + 8]);
+            if (i + INT64_C(12) + offset_count * INT64_C(8) > moov_atom_size) {
+                printf(" bad atom size/element count\n");
+                goto error_out;
+            }
             for (j = 0; j < offset_count; j++) {
                 current_offset  = BE_64(&moov_atom[i + 12 + j * 8]);
                 current_offset += moov_atom_size;
-- 
1.8.3.4 (Apple Git-47)

_______________________________________________
libav-devel mailing list
[email protected]
https://lists.libav.org/mailman/listinfo/libav-devel

[libav-devel] [PATCH 6/8] qt-faststart: Check offset_count before reading from the moov_atom buffer

Reply via email to