Skip to content

F
ffmpeg.wasm-core
Commit bf252f7f authored by Baptiste Coudurier's avatar Baptiste Coudurier
Browse files
Options

prevent reading more than container atom size, fix broken file broken_by_rev15830.MOV, fix #818 

Originally committed as revision 16979 to svn://svn.ffmpeg.org/ffmpeg/trunk
parent 2c823b3c
Hide whitespace changes
Inline Side-by-side
Showing with 7 additions and 2 deletions
libavformat/mov.c
View file @ bf252f7f
...@@ -1443,10 +1443,12 @@ static int mov_read_udta_string(MOVContext *c, ByteIOContext *pb, MOVAtom atom) ...@@ -1443,10 +1443,12 @@ static int mov_read_udta_string(MOVContext *c, ByteIOContext *pb, MOVAtom atom)
get_be32(pb); // type get_be32(pb); // type
get_be32(pb); // unknown get_be32(pb); // unknown
str_size = data_size - 16; str_size = data_size - 16;
atom.size -= 16;
} else return 0; } else return 0;
} else { } else {
str_size = get_be16(pb); // string length str_size = get_be16(pb); // string length
get_be16(pb); // language get_be16(pb); // language
atom.size -= 4;
} }
switch (atom.type) { switch (atom.type) {
case MKTAG(0xa9,'n','a','m'): case MKTAG(0xa9,'n','a','m'):
...@@ -1464,8 +1466,11 @@ static int mov_read_udta_string(MOVContext *c, ByteIOContext *pb, MOVAtom atom) ...@@ -1464,8 +1466,11 @@ static int mov_read_udta_string(MOVContext *c, ByteIOContext *pb, MOVAtom atom)
} }
if (!str) if (!str)
return 0; return 0;
get_buffer(pb, str, FFMIN(size, str_size)); if (atom.size < 0)
dprintf(c->fc, "%.4s %s\n", (char*)&atom.type, str); return -1;
get_buffer(pb, str, FFMIN3(size, str_size, atom.size));
dprintf(c->fc, "%.4s %s %d %lld\n", (char*)&atom.type, str, str_size, atom.size);
return 0; return 0;
} }
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment