diff options
| author | Tim-Philipp Müller <tim.muller@collabora.co.uk> | 2009-06-30 13:12:09 +0100 |
|---|---|---|
| committer | Tim-Philipp Müller <tim.muller@collabora.co.uk> | 2009-07-01 09:24:38 +0100 |
| commit | 8fa148d2f12383ae29a9e17e24d4feb7b7a0d071 (patch) | |
| tree | 4ad295c4405930f4fff7c5f862f03911d5f7b321 /gst/qtdemux | |
| parent | 405aae4568bbc8e3fa1c6975dc97425418dfe71a (diff) | |
qtdemux: more size checks, and use g_try_new0() instead of g_new0()
Whenever we alloc something based on a user-supplied size, we should
really use g_try_new(), otherwise we can easily be made to abort by
passing a ridiculously large number to us for allocing. Fixes
problems with some fuzzed files.
Diffstat (limited to 'gst/qtdemux')
| -rw-r--r-- | gst/qtdemux/qtdemux.c | 24 |
1 files changed, 21 insertions, 3 deletions
diff --git a/gst/qtdemux/qtdemux.c b/gst/qtdemux/qtdemux.c index 6cf4a55f..4683cd03 100644 --- a/gst/qtdemux/qtdemux.c +++ b/gst/qtdemux/qtdemux.c @@ -3481,11 +3481,17 @@ qtdemux_parse_samples (GstQTDemux * qtdemux, QtDemuxStream * stream, if (n_samples == 0) goto no_samples; + else if (n_samples < 0) + goto corrupt_file; GST_DEBUG_OBJECT (qtdemux, "stsz sample_size 0, allocating n_samples %d", n_samples); + + samples = g_try_new0 (QtDemuxSample, n_samples); + if (samples == NULL) + goto out_of_memory; + stream->n_samples = n_samples; - samples = g_new0 (QtDemuxSample, n_samples); stream->samples = samples; /* set the sample sizes */ @@ -3648,10 +3654,16 @@ qtdemux_parse_samples (GstQTDemux * qtdemux, QtDemuxStream * stream, if (n_samples == 0) goto no_samples; + else if (n_samples < 0) + goto corrupt_file; - stream->n_samples = n_samples; GST_DEBUG_OBJECT (qtdemux, "allocating n_samples %d", n_samples); - samples = g_new0 (QtDemuxSample, n_samples); + + samples = g_try_new0 (QtDemuxSample, n_samples); + if (samples == NULL) + goto out_of_memory; + + stream->n_samples = n_samples; stream->samples = samples; n_samples_per_chunk = QT_UINT32 (stsc_data + 12); @@ -3729,6 +3741,7 @@ qtdemux_parse_samples (GstQTDemux * qtdemux, QtDemuxStream * stream, /* Fill in the pts_offsets */ index = 0; ctts_p = ctts_data + 16; + /* FIXME: make sure we don't read beyond the atom size/boundary */ for (i = 0; i < n_entries; i++) { count = QT_UINT32 (ctts_p); ctts_p += 4; @@ -3758,6 +3771,11 @@ no_samples: GST_WARNING_OBJECT (qtdemux, "stream has no samples"); return FALSE; } +out_of_memory: + { + GST_WARNING_OBJECT (qtdemux, "failed to allocate %d samples", n_samples); + return FALSE; + } } /* collect all segment info for @stream. |