1 files changed, 29 insertions, 0 deletions

diff --git a/src/demuxers/demux_qt.c b/src/demuxers/demux_qt.c
index 695059c09..e28952b23 100644
--- a/src/demuxers/demux_qt.c
+++ b/src/demuxers/demux_qt.c
@@ -896,6 +896,11 @@ static qt_error parse_trak_atom (qt_trak *trak,
     current_atom_size = _X_BE_32(&trak_atom[i - 4]);	
     current_atom = _X_BE_32(&trak_atom[i]);
 
+    if (current_atom_size > trak_atom_size - i) {
+      last_error = QT_NOT_A_VALID_FILE;
+      goto free_trak;
+    }
+
     if (current_atom == TKHD_ATOM) {
       trak->flags = _X_BE_16(&trak_atom[i + 6]);
     } else if (current_atom == ELST_ATOM) {
@@ -969,6 +974,10 @@ static qt_error parse_trak_atom (qt_trak *trak,
           trak->stsd_atoms[k].video.properties_atom_size = current_stsd_atom_size - 4;
           trak->stsd_atoms[k].video.properties_atom = 
             xine_xmalloc(trak->stsd_atoms[k].video.properties_atom_size);
+          if (!trak->stsd_atoms[k].video.properties_atom) {
+            last_error = QT_NO_MEMORY;
+            goto free_trak;
+          }
           memcpy(trak->stsd_atoms[k].video.properties_atom, &trak_atom[atom_pos],
             trak->stsd_atoms[k].video.properties_atom_size);
 
@@ -1108,6 +1117,10 @@ static qt_error parse_trak_atom (qt_trak *trak,
           trak->stsd_atoms[k].audio.properties_atom_size = current_stsd_atom_size - 4;
           trak->stsd_atoms[k].audio.properties_atom = 
             xine_xmalloc(trak->stsd_atoms[k].audio.properties_atom_size);
+          if (!trak->stsd_atoms[k].audio.properties_atom) {
+            last_error = QT_NO_MEMORY;
+            goto free_trak;
+          }
           memcpy(trak->stsd_atoms[k].audio.properties_atom, &trak_atom[atom_pos],
             trak->stsd_atoms[k].audio.properties_atom_size);
 
@@ -1224,6 +1237,10 @@ static qt_error parse_trak_atom (qt_trak *trak,
             trak->stsd_atoms[k].audio.properties_atom_size = 36;
             trak->stsd_atoms[k].audio.properties_atom = 
               xine_xmalloc(trak->stsd_atoms[k].audio.properties_atom_size);
+            if (!trak->stsd_atoms[k].audio.properties_atom) {
+              last_error = QT_NO_MEMORY;
+              goto free_trak;
+            }
             memcpy(trak->stsd_atoms[k].audio.properties_atom, 
               &trak_atom[atom_pos + 0x20],
               trak->stsd_atoms[k].audio.properties_atom_size);
@@ -1245,6 +1262,10 @@ static qt_error parse_trak_atom (qt_trak *trak,
                 (current_atom_size >= (0x4C + wave_size))) {
               trak->stsd_atoms[k].audio.wave_size = wave_size;
               trak->stsd_atoms[k].audio.wave = xine_xmalloc(wave_size);
+              if (!trak->stsd_atoms[k].audio.wave) {
+                last_error = QT_NO_MEMORY;
+                goto free_trak;
+              }
               memcpy(trak->stsd_atoms[k].audio.wave, &trak_atom[atom_pos + 0x4C],
                      wave_size);
               _x_waveformatex_le2me(trak->stsd_atoms[k].audio.wave);
@@ -1314,8 +1335,16 @@ static qt_error parse_trak_atom (qt_trak *trak,
             j += mp4_read_descr_len( &trak_atom[j], &len );
             debug_atom_load("      decoder config is %d (0x%X) bytes long\n",
               len, len);
+            if (len > current_atom_size - (j - i)) {
+              last_error = QT_NOT_A_VALID_FILE;
+              goto free_trak;
+            }
             trak->decoder_config = realloc(trak->decoder_config, len);
             trak->decoder_config_len = len;
+            if (!trak->decoder_config) {
+              last_error = QT_NO_MEMORY;
+              goto free_trak;
+            }
             memcpy(trak->decoder_config,&trak_atom[j],len);
           }
         }