From 19c9600ea66a2b860ffad117a1266976ab21792c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tim-Philipp=20M=C3=BCller?= <tim@centricular.com>
Date: Mon, 30 Jan 2017 20:20:08 +0000
Subject: [PATCH] qtdemux: sanity check number of segments in edit list

Fixes crash with fuzzed file.

https://bugzilla.gnome.org/show_bug.cgi?id=777940
---
 gst/isomp4/qtdemux.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/gst/isomp4/qtdemux.c b/gst/isomp4/qtdemux.c
index 3e2ef06337..2d9cc2ab94 100644
--- a/gst/isomp4/qtdemux.c
+++ b/gst/isomp4/qtdemux.c
@@ -8772,7 +8772,7 @@ qtdemux_parse_segments (GstQTDemux * qtdemux, QtDemuxStream * stream,
 
     n_segments = QT_UINT32 (buffer + 12);
 
-    if (size < 16 + n_segments * entry_size) {
+    if (n_segments > 100000 || size < 16 + n_segments * entry_size) {
       GST_WARNING_OBJECT (qtdemux, "Invalid edit list");
       goto done;
     }