qt-faststart: Check offset_count before reading from the moov_atom buffer

CC: libav-stable@libav.org Signed-off-by: N Martin Storsjö <martin@martin.st>

qt-faststart: Check offset_count before reading from the moov_atom buffer
CC: libav-stable@libav.org Signed-off-by: N Martin Storsjö <martin@martin.st>
bb95334c · Michael Niedermayer · Martin Storsjö · 63848854 · bb95334c
隐藏空白更改
内联并排

Showing with 8 addition and 0 deletion

tools/qt-faststart.c tools/qt-faststart.c +8 -0

未找到文件。
--- a/tools/qt-faststart.c
+++ b/tools/qt-faststart.c
@@ -239,6 +239,10 @@ int main(int argc, char *argv[])
                goto error_out;
            }
            offset_count = BE_32(&moov_atom[i + 8]);
+            if (i + 12 + offset_count * UINT64_C(4) > moov_atom_size) {
+                printf(" bad atom size/element count\n");
+                goto error_out;
+            }
            for (j = 0; j < offset_count; j++) {
                current_offset  = BE_32(&moov_atom[i + 12 + j * 4]);
                current_offset += moov_atom_size;
@@ -256,6 +260,10 @@ int main(int argc, char *argv[])
                goto error_out;
            }
            offset_count = BE_32(&moov_atom[i + 8]);
+            if (i + 12 + offset_count * UINT64_C(8) > moov_atom_size) {
+                printf(" bad atom size/element count\n");
+                goto error_out;
+            }
            for (j = 0; j < offset_count; j++) {
                current_offset  = BE_64(&moov_atom[i + 12 + j * 8]);
                current_offset += moov_atom_size;