Fix an integer overflow in the Quicktime demuxer.

--HG--
extra : transplant_source : %AE%D3%DCw%0F%073h%5D%C0%B5%A7%BA%2B%95%81%95bT%D6

2 files changed, 8 insertions, 1 deletions

diff --git a/ChangeLog b/ChangeLog
index 49e48990f..b3c593fb6 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -2,6 +2,7 @@ xine-lib (1.1.17) 2009-??-??
   * Security fixes:
     - Fix another possible int overflow in the 4XM demuxer.
       (ref. TKADV2009-004, CVE-2009-0385)
+    - Fix an integer overflow in the Quicktime demuxer.
   * Enable libmpeg2new (if configured with --enable-libmpeg2new).
     This is not yet production code; the old mpeg2 decoder remains the default.
   * Add support for OpenBSD.
diff --git a/src/demuxers/demux_qt.c b/src/demuxers/demux_qt.c
index 4ad71e958..5aba5b479 100644
--- a/src/demuxers/demux_qt.c
+++ b/src/demuxers/demux_qt.c
@@ -1535,7 +1535,8 @@ static qt_error parse_trak_atom (qt_trak *trak,
     } else if (current_atom == STTS_ATOM) {
 
       /* there should only be one of these atoms */
-      if (trak->time_to_sample_table) {
+      if (trak->time_to_sample_table
+          || current_atom_size < 12 || current_atom_size >= UINT_MAX) {
         last_error = QT_HEADER_TROUBLE;
         goto free_trak;
       }
@@ -1545,6 +1546,11 @@ static qt_error parse_trak_atom (qt_trak *trak,
       debug_atom_load("    qt stts atom (time-to-sample atom): %d entries\n",
         trak->time_to_sample_count);
 
+      if (trak->time_to_sample_count > (current_atom_size - 12) / 8) {
+        last_error = QT_HEADER_TROUBLE;
+        goto free_trak;
+      }
+
       trak->time_to_sample_table = (time_to_sample_table_t *)calloc(
         trak->time_to_sample_count+1, sizeof(time_to_sample_table_t));
       if (!trak->time_to_sample_table) {