avformat/mov: Fix crash with too big STSZ atoms

mov_read_stsz() did not ensure that every bit of a buffer is addressable by an int as is required by the get_bits API, leading to a crash in ticket #9344. Fix this by restricting the size more thoroughly. The file from said ticket will then be considered invalid; in the future, we might read and process the data in chunks to actually support such files. Fixes ticket #9344. Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
4 years ago · c2d853c1aa
parent f0ed8de1d6
commit c2d853c1aa
1 changed files with 1 additions and 1 deletions
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@ -2856,7 +2856,7 @@ static int mov_read_stsz(MOVContext *c, AVIOContext *pb, MOVAtom atom)

    if (!entries)
        return 0;
-    if (entries >= (UINT_MAX - 4) / field_size)
+    if (entries >= (INT_MAX - 4 - 8 * AV_INPUT_BUFFER_PADDING_SIZE) / field_size)
        return AVERROR_INVALIDDATA;
    if (sc->sample_sizes)
        av_log(c->fc, AV_LOG_WARNING, "Duplicated STSZ atom\n");