highperfocused/ffmpeg
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

prevent reading more than container atom size, fix broken file broken_by_rev15830.MOV, fix #818

Browse Source 
Originally committed as revision 16979 to svn://svn.ffmpeg.org/ffmpeg/trunk
This commit is contained in:
Baptiste Coudurier
2009-02-03 23:03:41 +00:00
parent 2c823b3ccc
commit bf252f7f6f
1 changed files with 7 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
libavformat/mov.c
View File

@@ -1443,10 +1443,12 @@ static int mov_read_udta_string(MOVContext *c, ByteIOContext *pb, MOVAtom atom)
get_be32(pb); // type get_be32(pb); // type
get_be32(pb); // unknown get_be32(pb); // unknown
str_size = data_size - 16; str_size = data_size - 16;
atom.size -= 16;
} else return 0; } else return 0;
} else { } else {
str_size = get_be16(pb); // string length str_size = get_be16(pb); // string length
get_be16(pb); // language get_be16(pb); // language
atom.size -= 4;
} }
switch (atom.type) { switch (atom.type) {
case MKTAG(0xa9,'n','a','m'): case MKTAG(0xa9,'n','a','m'):
@@ -1464,8 +1466,11 @@ static int mov_read_udta_string(MOVContext *c, ByteIOContext *pb, MOVAtom atom)
} }
if (!str) if (!str)
return 0; return 0;
get_buffer(pb, str, FFMIN(size, str_size)); if (atom.size < 0)
dprintf(c->fc, "%.4s %s\n", (char*)&atom.type, str); return -1;
get_buffer(pb, str, FFMIN3(size, str_size, atom.size));
dprintf(c->fc, "%.4s %s %d %lld\n", (char*)&atom.type, str, str_size, atom.size);
return 0; return 0;
} }