Bad content may contain stsc boxes with a first_chunk index that
exceeds stco.entries (chunk_count). This ammends the existing check to
include cases where chunk_count == 0.
---
libavformat/mov.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/libavformat/mov.c b/libavformat/mov.c
index 9b9739f788..2f3ad38ac3 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -2694,8 +2694,11 @@ static inline int64_t
mov_get_stsc_samples(MOVStreamContext *sc, unsigned int in
if (mov_stsc_index_valid(index, sc->stsc_count))
chunk_count = sc->stsc_data[index + 1].first -
sc->stsc_data[index].first;
- else
+ else {
+ // Validation for stsc / stco happens earlier in mov_read_stsc +
mov_read_trak.
+ av_assert0(sc->stsc_data[index].first <= sc->chunk_count);
chunk_count = sc->chunk_count - (sc->stsc_data[index].first - 1);
+ }
return sc->stsc_data[index].count * (int64_t)chunk_count;
}
@@ -4175,7 +4178,7 @@ static int mov_read_trak(MOVContext *c, AVIOContext *pb,
MOVAtom atom)
st->index);
return 0;
}
- if (sc->chunk_count && sc->stsc_count && sc->stsc_data[ sc->stsc_count - 1
].first > sc->chunk_count) {
+ if (sc->stsc_count && sc->stsc_data[ sc->stsc_count - 1 ].first >
sc->chunk_count) {
av_log(c->fc, AV_LOG_ERROR, "stream %d, contradictionary STSC and
STCO\n",
st->index);
return AVERROR_INVALIDDATA;
--
2.20.1.611.gfbb209baf1-goog
_______________________________________________
ffmpeg-devel mailing list
[email protected]
http://ffmpeg.org/mailman/listinfo/ffmpeg-devel
