From 1e81086a8196e09868e3726609b322f6acfabd04 Mon Sep 17 00:00:00 2001 From: Darren Salt Date: Wed, 1 Apr 2009 02:49:51 +0100 Subject: Fix an integer overflow in the Quicktime demuxer. --HG-- extra : transplant_source : %AE%D3%DCw%0F%073h%5D%C0%B5%A7%BA%2B%95%81%95bT%D6 --- ChangeLog | 1 + src/demuxers/demux_qt.c | 8 +++++++- 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 49e48990f..b3c593fb6 100644 --- a/ChangeLog +++ b/ChangeLog @@ -2,6 +2,7 @@ xine-lib (1.1.17) 2009-??-?? * Security fixes: - Fix another possible int overflow in the 4XM demuxer. (ref. TKADV2009-004, CVE-2009-0385) + - Fix an integer overflow in the Quicktime demuxer. * Enable libmpeg2new (if configured with --enable-libmpeg2new). This is not yet production code; the old mpeg2 decoder remains the default. * Add support for OpenBSD. diff --git a/src/demuxers/demux_qt.c b/src/demuxers/demux_qt.c index 4ad71e958..5aba5b479 100644 --- a/src/demuxers/demux_qt.c +++ b/src/demuxers/demux_qt.c @@ -1535,7 +1535,8 @@ static qt_error parse_trak_atom (qt_trak *trak, } else if (current_atom == STTS_ATOM) { /* there should only be one of these atoms */ - if (trak->time_to_sample_table) { + if (trak->time_to_sample_table + || current_atom_size < 12 || current_atom_size >= UINT_MAX) { last_error = QT_HEADER_TROUBLE; goto free_trak; } @@ -1545,6 +1546,11 @@ static qt_error parse_trak_atom (qt_trak *trak, debug_atom_load(" qt stts atom (time-to-sample atom): %d entries\n", trak->time_to_sample_count); + if (trak->time_to_sample_count > (current_atom_size - 12) / 8) { + last_error = QT_HEADER_TROUBLE; + goto free_trak; + } + trak->time_to_sample_table = (time_to_sample_table_t *)calloc( trak->time_to_sample_count+1, sizeof(time_to_sample_table_t)); if (!trak->time_to_sample_table) { -- cgit v1.2.3