File xine-lib-TKADV2009-005.diff of Package xine-lib

diff --git a/src/demuxers/demux_qt.c b/src/demuxers/demux_qt.c
--- a/src/demuxers/demux_qt.c
+++ b/src/demuxers/demux_qt.c
@@ -1535,7 +1535,8 @@ static qt_error parse_trak_atom (qt_trak
     } else if (current_atom == STTS_ATOM) {
 
       /* there should only be one of these atoms */
-      if (trak->time_to_sample_table) {
+      if (trak->time_to_sample_table
+          || current_atom_size < 12 || current_atom_size >= UINT_MAX) {
         last_error = QT_HEADER_TROUBLE;
         goto free_trak;
       }
@@ -1544,6 +1545,11 @@ static qt_error parse_trak_atom (qt_trak
 
       debug_atom_load("    qt stts atom (time-to-sample atom): %d entries\n",
         trak->time_to_sample_count);
+
+      if (trak->time_to_sample_count > (current_atom_size - 12) / 8) {
+        last_error = QT_HEADER_TROUBLE;
+        goto free_trak;
+      }
 
       trak->time_to_sample_table = (time_to_sample_table_t *)calloc(
         trak->time_to_sample_count+1, sizeof(time_to_sample_table_t));