Browse code
Merge commit '7e01d48cfd168c3dfc663f03a3b6a98e0ecba328'
* commit '7e01d48cfd168c3dfc663f03a3b6a98e0ecba328':
mov: Check the entries value when parsing dref boxes
Merged-by: Derek Buitenhuis <derek.buitenhuis@gmail.com>
Derek Buitenhuis authored on 2016/04/14 01:30:42Showing 1 changed files
| ... | ... |
@@ -515,9 +515,11 @@ static int mov_read_dref(MOVContext *c, AVIOContext *pb, MOVAtom atom) |
| 515 | 515 |
|
| 516 | 516 |
avio_rb32(pb); // version + flags |
| 517 | 517 |
entries = avio_rb32(pb); |
| 518 |
- if (entries > (atom.size - 1) / MIN_DATA_ENTRY_BOX_SIZE + 1 || |
|
| 518 |
+ if (!entries || |
|
| 519 |
+ entries > (atom.size - 1) / MIN_DATA_ENTRY_BOX_SIZE + 1 || |
|
| 519 | 520 |
entries >= UINT_MAX / sizeof(*sc->drefs)) |
| 520 | 521 |
return AVERROR_INVALIDDATA; |
| 522 |
+ sc->drefs_count = 0; |
|
| 521 | 523 |
av_free(sc->drefs); |
| 522 | 524 |
sc->drefs_count = 0; |
| 523 | 525 |
sc->drefs = av_mallocz(entries * sizeof(*sc->drefs)); |