From cc1968e3e7995ae737e4d484ecf7b8b6139dac91 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tim-Philipp=20M=C3=BCller?= <tim@centricular.com>
Date: Mon, 30 Jan 2017 20:20:08 +0000
Subject: qtdemux: sanity check number of segments in edit list

Fixes crash with fuzzed file.

https://bugzilla.gnome.org/show_bug.cgi?id=777940
---
 gst/isomp4/qtdemux.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/gst/isomp4/qtdemux.c b/gst/isomp4/qtdemux.c
index f2c4a4286..ba36a9e09 100644
--- a/gst/isomp4/qtdemux.c
+++ b/gst/isomp4/qtdemux.c
@@ -8668,7 +8668,7 @@ qtdemux_parse_segments (GstQTDemux * qtdemux, QtDemuxStream * stream,
 
     n_segments = QT_UINT32 (buffer + 12);
 
-    if (size < 16 + n_segments * entry_size) {
+    if (n_segments > 100000 || size < 16 + n_segments * entry_size) {
       GST_WARNING_OBJECT (qtdemux, "Invalid edit list");
       goto done;
     }
-- 
cgit v1.2.1