From f65e6ea3a17f98b5bcf799a1c418198028b548a1 Mon Sep 17 00:00:00 2001 From: Tim-Philipp Müller Date: Thu, 20 Aug 2009 18:21:59 +0100 Subject: qtdemux: bail out instead of trying to alloc silly index sizes If it looks like we would be allocating a silly size for our sample index, just bail out instead of trying to allocate it. Helps with broken or fuzzed files where we might end up trying to malloc a couple of hundred MBs otherwise. --- gst/qtdemux/qtdemux.c | 23 ++++++++++++++++++++--- 1 file changed, 20 insertions(+), 3 deletions(-) (limited to 'gst/qtdemux') diff --git a/gst/qtdemux/qtdemux.c b/gst/qtdemux/qtdemux.c index 5193ca56..32c32f9b 100644 --- a/gst/qtdemux/qtdemux.c +++ b/gst/qtdemux/qtdemux.c @@ -66,6 +66,9 @@ /* max. size considered 'sane' for non-mdat atoms */ #define QTDEMUX_MAX_ATOM_SIZE (25*1024*1024) +/* if the sample index is larger than this, something is likely wrong */ +#define QTDEMUX_MAX_SAMPLE_INDEX_SIZE (50*1024*1024) + GST_DEBUG_CATEGORY (qtdemux_debug); /*typedef struct _QtNode QtNode; */ @@ -3570,8 +3573,11 @@ qtdemux_parse_samples (GstQTDemux * qtdemux, QtDemuxStream * stream, if (n_samples == 0) goto no_samples; - GST_DEBUG_OBJECT (qtdemux, "stsz sample_size 0, allocating n_samples %u", - n_samples); + GST_DEBUG_OBJECT (qtdemux, "stsz sample_size 0, allocating n_samples %u " + "(%u MB)", n_samples, (n_samples * sizeof (QtDemuxSample)) >> 20); + + if (n_samples >= QTDEMUX_MAX_SAMPLE_INDEX_SIZE / sizeof (QtDemuxSample)) + goto index_too_big; samples = g_try_new0 (QtDemuxSample, n_samples); if (samples == NULL) @@ -3795,7 +3801,11 @@ qtdemux_parse_samples (GstQTDemux * qtdemux, QtDemuxStream * stream, if (n_samples == 0) goto no_samples; - GST_DEBUG_OBJECT (qtdemux, "allocating n_samples %d", n_samples); + GST_DEBUG_OBJECT (qtdemux, "allocating n_samples %u (%u MB)", n_samples, + (n_samples * sizeof (QtDemuxSample)) >> 20); + + if (n_samples >= QTDEMUX_MAX_SAMPLE_INDEX_SIZE / sizeof (QtDemuxSample)) + goto index_too_big; samples = g_try_new0 (QtDemuxSample, n_samples); if (samples == NULL) @@ -3940,6 +3950,13 @@ out_of_memory: GST_WARNING_OBJECT (qtdemux, "failed to allocate %d samples", n_samples); return FALSE; } +index_too_big: + { + GST_WARNING_OBJECT (qtdemux, "not allocating index of %d samples, would " + "be larger than %uMB (broken file?)", n_samples, + QTDEMUX_MAX_SAMPLE_INDEX_SIZE >> 20); + return FALSE; + } } /* collect all segment info for @stream. -- cgit