$NetBSD: patch-ay,v 1.7 2009/04/05 13:15:01 drochner Exp $

--- src/demuxers/demux_qt.c.orig	2009-04-05 11:28:05.000000000 +0200
+++ src/demuxers/demux_qt.c
@@ -1535,7 +1535,8 @@ static qt_error parse_trak_atom (qt_trak
     } else if (current_atom == STTS_ATOM) {
 
       /* there should only be one of these atoms */
-      if (trak->time_to_sample_table) {
+      if (trak->time_to_sample_table
+	  || current_atom_size < 12 || current_atom_size >= UINT_MAX) {
         last_error = QT_HEADER_TROUBLE;
         goto free_trak;
       }
@@ -1545,6 +1546,11 @@ static qt_error parse_trak_atom (qt_trak
       debug_atom_load("    qt stts atom (time-to-sample atom): %d entries\n",
         trak->time_to_sample_count);
 
+      if (trak->time_to_sample_count > (current_atom_size - 12) / 8) {
+	last_error = QT_HEADER_TROUBLE;
+	goto free_trak;
+      }
+
       trak->time_to_sample_table = (time_to_sample_table_t *)calloc(
         trak->time_to_sample_count+1, sizeof(time_to_sample_table_t));
       if (!trak->time_to_sample_table) {
