avformat/mov: do not allocate out-of-range buffers
There's a possibility here with a well-crafted MP4 file containing only
the nested boxes in order: MOOV.TRAK.MDIA.MINF.STBL.SDTP where the
header size uses the 64 bit large size, and the ending stdp box has some
size value >= 0x100000014.
On a 32 bit build of ffmpeg, av_malloc's size parameter drops the high
order bits of `entries`, and and the allocation is now a controlled size
that is significantly smaller than `entries`. The following loop will
then write off the ended of allocated memory with data that follows the
box fourcc.
(cherry picked from commit 86f53f9ffb)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This commit is contained in:
Ted Meyer
committed by
Michael Niedermayer
Michael Niedermayer
parent
efb61b7f9e
commit
4fdcf4450b
@@ -3047,6 +3047,9 @@ static int mov_read_sdtp(MOVContext *c, AVIOContext *pb, MOVAtom atom)
|
||||
av_freep(&sc->sdtp_data);
|
||||
sc->sdtp_count = 0;
|
||||
|
||||
if (entries < 0 || entries > SIZE_MAX)
|
||||
return AVERROR(ERANGE);
|
||||
|
||||
sc->sdtp_data = av_malloc(entries);
|
||||
if (!sc->sdtp_data)
|
||||
return AVERROR(ENOMEM);
|
||||
|
||||
Reference in New Issue
Block a user