diff options
author | Baptiste Coudurier | 2009-02-03 23:03:41 +0000 |
---|---|---|
committer | Baptiste Coudurier | 2009-02-03 23:03:41 +0000 |
commit | bf252f7f6fa9c79743242f3efdd30827c97407b4 (patch) | |
tree | 742de1ce64449042f4ee4be0c18fa825007eb256 | |
parent | 2c823b3ccca3a9d42d02713fc5ea2538a9b9a99e (diff) |
prevent reading more than container atom size, fix broken file broken_by_rev15830.MOV, fix #818
Originally committed as revision 16979 to svn://svn.ffmpeg.org/ffmpeg/trunk
-rw-r--r-- | libavformat/mov.c | 9 |
1 files changed, 7 insertions, 2 deletions
diff --git a/libavformat/mov.c b/libavformat/mov.c index 5dd2acef8f..ba32ca7f13 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -1443,10 +1443,12 @@ static int mov_read_udta_string(MOVContext *c, ByteIOContext *pb, MOVAtom atom) get_be32(pb); // type get_be32(pb); // unknown str_size = data_size - 16; + atom.size -= 16; } else return 0; } else { str_size = get_be16(pb); // string length get_be16(pb); // language + atom.size -= 4; } switch (atom.type) { case MKTAG(0xa9,'n','a','m'): @@ -1464,8 +1466,11 @@ static int mov_read_udta_string(MOVContext *c, ByteIOContext *pb, MOVAtom atom) } if (!str) return 0; - get_buffer(pb, str, FFMIN(size, str_size)); - dprintf(c->fc, "%.4s %s\n", (char*)&atom.type, str); + if (atom.size < 0) + return -1; + + get_buffer(pb, str, FFMIN3(size, str_size, atom.size)); + dprintf(c->fc, "%.4s %s %d %lld\n", (char*)&atom.type, str, str_size, atom.size); return 0; } |