From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100]) by master.gitmailbox.com (Postfix) with ESMTP id 6EB6A4559D for ; Fri, 2 Feb 2024 23:10:01 +0000 (UTC) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id AC1E268CBD7; Sat, 3 Feb 2024 01:09:58 +0200 (EET) Received: from mail-wm1-f41.google.com (mail-wm1-f41.google.com [209.85.128.41]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 0EAC968CBF7 for ; Sat, 3 Feb 2024 01:09:52 +0200 (EET) Received: by mail-wm1-f41.google.com with SMTP id 5b1f17b1804b1-40f0218476aso6905e9.1 for ; Fri, 02 Feb 2024 15:09:51 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1706915391; x=1707520191; darn=ffmpeg.org; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=ZBWDyPnCU7NpAgW6CRNygH0V/6KHnWqmUbVk45HSXAM=; b=R1IgwSOZPaP08RyltPO0OkJ/BuS//OKndnwc44AercF5+8EwMpypdRob0PBgC7viUt RnQAd3/7MxDJQ2DIof0V1FWMN+x8yY2wOrFAG+lqfwSCc0b/Ca7UuKKEZMRL3HG5zBkw 3KZf6LvM2cIf6xAZNHY5NSY7Pn68bcz4w5avw= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1706915391; x=1707520191; h=to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=ZBWDyPnCU7NpAgW6CRNygH0V/6KHnWqmUbVk45HSXAM=; b=RBzuxxzxdkFAQEDNMkDSVnvuKIRs+VO/8mFcdUqilxyl4xba6zrPiePtPwaWADfWZv fjNt1ILeiNleshvbbBfQNlCrE9FlH+aibt8msvf1LV92NsK0RwNFjc0ffCtz41pjh88E piKDp+SNo7qIHuKy1dOCpq1NVGg1q5Q9JLAFp1IuC50CgCYZ00+IEn7O/zjQkfhSIZdg vMfZQm5qYglSqx0FClkjZdqX166WhUcsQVyG57bXvKZ52IOXIQzqBOyZezGSDi7+GMXR Cv6Yz7+IwixpPSvhgUxESAVHqCvRONCvcbyU4Mk729MGLRdF4rmKFMfNCViVPEBZc5bG sTvg== X-Gm-Message-State: AOJu0YwEFkWFzd9F6dMDomCNsX6VNpHOqBW+/MLZ9e/EMi/F1ydyTgmW wLg6B5mCpruVITdKCg5dmfHHf35sXZ9NkRrfXpAh8yZSwIe+o0OKscA71gBGNuCN7wm4jqBajz0 TyYgOH4fR1Ja4X4kMSzWUaxUtyYqFY/wdPe/wuiHvEQ0/ZiuIBJ4z X-Google-Smtp-Source: AGHT+IErJmVhpMigYhQ404hdh5Gr0wbmPDGWUbccJK4eWzakLtnzWJq0P5guaL3YtnnTYR8ObHA1z2x9nU+Lye2CSf8= X-Received: by 2002:a05:600c:1e09:b0:40f:cb66:e8d1 with SMTP id ay9-20020a05600c1e0900b0040fcb66e8d1mr23688wmb.7.1706915390461; Fri, 02 Feb 2024 15:09:50 -0800 (PST) MIME-Version: 1.0 From: Dale Curtis Date: Fri, 2 Feb 2024 15:09:37 -0800 Message-ID: To: FFmpeg development discussions and patches Content-Type: multipart/mixed; boundary="0000000000008354d506106e3557" X-Content-Filtered-By: Mailman/MimeDel 2.1.29 Subject: [FFmpeg-devel] [PATCH] [mov] Avoid OOM for invalid STCO / CO64 constructions. X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" Archived-At: List-Archive: List-Post: --0000000000008354d506106e3557 Content-Type: text/plain; charset="UTF-8" The `entries` value is read directly from the stream and used to allocate memory. This change clamps `entries` to however many are possible in the remaining atom or file size (whichever is smallest). Fixes https://crbug.com/1429357 Signed-off-by: Dale Curtis --- libavformat/mov.c | 7 +++++++ 1 file changed, 7 insertions(+) --0000000000008354d506106e3557 Content-Type: application/octet-stream; name="stco-clamp-entries.patch" Content-Disposition: attachment; filename="stco-clamp-entries.patch" Content-Transfer-Encoding: base64 Content-ID: X-Attachment-Id: f_ls59bzpp0 RnJvbSAwNDk2NGJlYzQzMGQ2MWU4OTI1MWUxNWI0Y2JiODQwMGU0ZWE0YWY5IE1vbiBTZXAgMTcg MDA6MDA6MDAgMjAwMQpGcm9tOiBEYWxlIEN1cnRpcyA8ZGFsZWN1cnRpc0BjaHJvbWl1bS5vcmc+ CkRhdGU6IEZyaSwgMiBGZWIgMjAyNCAyMDo0OTo0NCArMDAwMApTdWJqZWN0OiBbUEFUQ0hdIFtt b3ZdIEF2b2lkIE9PTSBmb3IgaW52YWxpZCBTVENPIC8gQ082NCBjb25zdHJ1Y3Rpb25zLgoKVGhl IGBlbnRyaWVzYCB2YWx1ZSBpcyByZWFkIGRpcmVjdGx5IGZyb20gdGhlIHN0cmVhbSBhbmQgdXNl ZCB0bwphbGxvY2F0ZSBtZW1vcnkuIFRoaXMgY2hhbmdlIGNsYW1wcyBgZW50cmllc2AgdG8gaG93 ZXZlciBtYW55IGFyZQpwb3NzaWJsZSBpbiB0aGUgcmVtYWluaW5nIGF0b20gb3IgZmlsZSBzaXpl ICh3aGljaGV2ZXIgaXMgc21hbGxlc3QpLgoKRml4ZXMgaHR0cHM6Ly9jcmJ1Zy5jb20vMTQyOTM1 NwoKU2lnbmVkLW9mZi1ieTogRGFsZSBDdXJ0aXMgPGRhbGVjdXJ0aXNAY2hyb21pdW0ub3JnPgot LS0KIGxpYmF2Zm9ybWF0L21vdi5jIHwgNyArKysrKysrCiAxIGZpbGUgY2hhbmdlZCwgNyBpbnNl cnRpb25zKCspCgpkaWZmIC0tZ2l0IGEvbGliYXZmb3JtYXQvbW92LmMgYi9saWJhdmZvcm1hdC9t b3YuYwppbmRleCBhZjk1ZTFmNjYyLi45ZjAxMmIyNGFlIDEwMDY0NAotLS0gYS9saWJhdmZvcm1h dC9tb3YuYworKysgYi9saWJhdmZvcm1hdC9tb3YuYwpAQCAtMjIzNyw2ICsyMjM3LDEzIEBAIHN0 YXRpYyBpbnQgbW92X3JlYWRfc3RjbyhNT1ZDb250ZXh0ICpjLCBBVklPQ29udGV4dCAqcGIsIE1P VkF0b20gYXRvbSkKICAgICAgICAgYXZfbG9nKGMtPmZjLCBBVl9MT0dfV0FSTklORywgIklnbm9y aW5nIGR1cGxpY2F0ZWQgU1RDTyBhdG9tXG4iKTsKICAgICAgICAgcmV0dXJuIDA7CiAgICAgfQor CisgICAgLy8gQ2xhbXAgYWxsb2NhdGlvbiBzaXplIGZvciBgY2h1bmtfb2Zmc2V0c2AgLS0gZG9u J3QgdGhyb3cgYW4gZXJyb3IgZm9yIGFuCisgICAgLy8gaW52YWxpZCBjb3VudCBzaW5jZSB0aGUg RU9GIHBhdGggZG9lc24ndCB0aHJvdyBlaXRoZXIuCisgICAgZW50cmllcyA9CisgICAgICAgIEZG TUlOKGVudHJpZXMsIEZGTUlOKGF0b20uc2l6ZSAtIDgsIGF2aW9fc2l6ZShwYikgLSBhdmlvX3Rl bGwocGIpKSAvCisgICAgICAgICAgICAgICAgICAgICAgICAgICAoYXRvbS50eXBlID09IE1LVEFH KCdzJywgJ3QnLCAnYycsICdvJykgPyA0IDogOCkpOworCiAgICAgYXZfZnJlZShzYy0+Y2h1bmtf b2Zmc2V0cyk7CiAgICAgc2MtPmNodW5rX2NvdW50ID0gMDsKICAgICBzYy0+Y2h1bmtfb2Zmc2V0 cyA9IGF2X21hbGxvY19hcnJheShlbnRyaWVzLCBzaXplb2YoKnNjLT5jaHVua19vZmZzZXRzKSk7 Ci0tIAoyLjQzLjAuNTk0LmdkOWNmNGUyMjdkLWdvb2cKCg== --0000000000008354d506106e3557 Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe". --0000000000008354d506106e3557--