Merge commit 'd7d6efe42b'

* commit 'd7d6efe42b': h264: check sps.log2_max_frame_num for validity mov: validate number of DataReferenceBox entries against box size mov: compute avg_frame_rate only if duration is known flac: change minimum and default of lpc_passes option to 1 Conflicts: libavcodec/h264_ps.c libavformat/mov.c Merged-by: Michael Niedermayer <michaelni@gmx.at>
2025-12-08 06:09:50 +00:00 · 2012-12-07 15:45:25 +01:00 · 2012-12-07 15:45:25 +01:00 · 7c425e4f2d
commit 7c425e4f2d
parent af164d7d9f d7d6efe42b
3 changed files with 16 additions and 8 deletions
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@ -429,6 +429,7 @@ static int mov_read_chpl(MOVContext *c, AVIOContext *pb, MOVAtom atom)
    return 0;
 }

+#define MIN_DATA_ENTRY_BOX_SIZE 12
 static int mov_read_dref(MOVContext *c, AVIOContext *pb, MOVAtom atom)
 {
    AVStream *st;
@ -442,7 +443,8 @@ static int mov_read_dref(MOVContext *c, AVIOContext *pb, MOVAtom atom)

    avio_rb32(pb); // version + flags
    entries = avio_rb32(pb);
-    if (entries >= UINT_MAX / sizeof(*sc->drefs))
+    if (entries >  (atom.size - 1) / MIN_DATA_ENTRY_BOX_SIZE + 1 ||
+        entries >= UINT_MAX / sizeof(*sc->drefs))
        return AVERROR_INVALIDDATA;
    av_free(sc->drefs);
    sc->drefs_count = 0;
@ -2222,7 +2224,7 @@ static int mov_read_trak(MOVContext *c, AVIOContext *pb, MOVAtom atom)

        if (st->duration > 0)
            av_reduce(&st->avg_frame_rate.num, &st->avg_frame_rate.den,
-                    sc->time_scale*st->nb_frames, st->duration, INT_MAX);
+                      sc->time_scale*st->nb_frames, st->duration, INT_MAX);

 #if FF_API_R_FRAME_RATE
        if (sc->stts_count == 1 || (sc->stts_count == 2 && sc->stts_data[1].count == 1))