talos-2021-1297-2

Backport of https://github.com/gpac/gpac/commit/592ba2689a3f2fc787371eda490fde4f84e60315

Backport of https://github.com/gpac/gpac/commit/592ba2689a3f2fc787371eda490fde4f84e60315

Gbp-Pq: Name talos-2021-1297-2.patch

diff --git a/src/isomedia/box_code_base.c b/src/isomedia/box_code_base.c
index be4a85fefbeea9a4e0920e1b314a39c2f0bec8f1..280b351739375e7d6817e3156c5349d0795b063c 100644 (file)
--- a/src/isomedia/box_code_base.c
+++ b/src/isomedia/box_code_base.c
@@ -5509,7 +5509,7 @@ GF_Err stss_box_read(GF_Box *s, GF_BitStream *bs)
 
        ISOM_DECREASE_SIZE(ptr, 4);
        ptr->nb_entries = gf_bs_read_u32(bs);
-       if (ptr->size <  ptr->nb_entries * 4) {
+       if (ptr->size <  ptr->nb_entries * 4 || (u64)ptr->nb_entries > (u64)SIZE_MAX/sizeof(u32)) {
                GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("[iso file] Invalid number of entries %d in stss\n", ptr->nb_entries));
                return GF_ISOM_INVALID_FILE;
        }