From 74104d2dc05d903a2b94e3457fc1a2cf8fe224a2 Mon Sep 17 00:00:00 2001
From: Fredrik Hubinette <hubbe@google.com>
Date: Wed, 15 Nov 2017 17:24:30 -0800
Subject: [PATCH] avformat/mov: Check size of STSC allocation

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit a6fdd75fe6440d2f4150cb456a9078aa68b00fdb)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/mov.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/libavformat/mov.c b/libavformat/mov.c
index 90b068f091..6ebdf8a4b7 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -2411,6 +2411,8 @@ static int mov_read_stsc(MOVContext *c, AVIOContext *pb, MOVAtom atom)
     avio_rb24(pb); /* flags */
 
     entries = avio_rb32(pb);
+    if ((uint64_t)entries * 12 + 4 > atom.size)
+        return AVERROR_INVALIDDATA;
 
     av_log(c->fc, AV_LOG_TRACE, "track[%u].stsc.entries = %u\n", c->fc->nb_streams - 1, entries);