summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMichael Niedermayer <michaelni@gmx.at>2012-12-13 15:07:20 +0100
committerMartin Storsjö <martin@martin.st>2014-03-01 00:25:04 +0200
commitbb95334c34d0d9abccea370ae25c4765d7764ab8 (patch)
treef173ea705946c656e86acde5162329c6a84c3763
parent63848854256a024a19435e87d6bc76fffa65e81e (diff)
downloadffmpeg-streaming-bb95334c34d0d9abccea370ae25c4765d7764ab8.zip
ffmpeg-streaming-bb95334c34d0d9abccea370ae25c4765d7764ab8.tar.gz
qt-faststart: Check offset_count before reading from the moov_atom buffer
CC: libav-stable@libav.org Signed-off-by: Martin Storsjö <martin@martin.st>
-rw-r--r--tools/qt-faststart.c8
1 files changed, 8 insertions, 0 deletions
diff --git a/tools/qt-faststart.c b/tools/qt-faststart.c
index 5c511a0..792c272 100644
--- a/tools/qt-faststart.c
+++ b/tools/qt-faststart.c
@@ -239,6 +239,10 @@ int main(int argc, char *argv[])
goto error_out;
}
offset_count = BE_32(&moov_atom[i + 8]);
+ if (i + 12 + offset_count * UINT64_C(4) > moov_atom_size) {
+ printf(" bad atom size/element count\n");
+ goto error_out;
+ }
for (j = 0; j < offset_count; j++) {
current_offset = BE_32(&moov_atom[i + 12 + j * 4]);
current_offset += moov_atom_size;
@@ -256,6 +260,10 @@ int main(int argc, char *argv[])
goto error_out;
}
offset_count = BE_32(&moov_atom[i + 8]);
+ if (i + 12 + offset_count * UINT64_C(8) > moov_atom_size) {
+ printf(" bad atom size/element count\n");
+ goto error_out;
+ }
for (j = 0; j < offset_count; j++) {
current_offset = BE_64(&moov_atom[i + 12 + j * 8]);
current_offset += moov_atom_size;
OpenPOWER on IntegriCloud