eessppeelllloo/ffmpeg
1
0
Fork 0
mirror of https://git.ffmpeg.org/ffmpeg.git synced 2025-12-13 10:30:05 +01:00
Code Issues Packages Projects Releases Wiki Activity

avformat/mov: Check if a key is longer than the atom containing it

Browse Source 
Stop reading keys and return AVERROR_INVALIDDATA if key_size
is larger than the amount of space left in the atom.

Bug: https://crbug.com/41496983
Signed-off-by: Eugene Zemtsov <eugene@chromium.org>
Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit 8a23a145d8)
This commit is contained in:
Eugene Zemtsov
2024-04-01 19:28:03 -07:00
committed by James Almer
parent 201d0e6fc1
commit 60df6aad93
1 changed files with 2 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
libavformat/mov.c
View File

@@ -4407,12 +4407,13 @@ static int mov_read_keys(MOVContext *c, AVIOContext *pb, MOVAtom atom)
for (i = 1; i <= count; ++i) { for (i = 1; i <= count; ++i) {
uint32_t key_size = avio_rb32(pb); uint32_t key_size = avio_rb32(pb);
uint32_t type = avio_rl32(pb); uint32_t type = avio_rl32(pb);
if (key_size < 8) { if (key_size < 8 || key_size > atom.size) {
av_log(c->fc, AV_LOG_ERROR, av_log(c->fc, AV_LOG_ERROR,
"The key# %"PRIu32" in meta has invalid size:" "The key# %"PRIu32" in meta has invalid size:"
"%"PRIu32"\n", i, key_size); "%"PRIu32"\n", i, key_size);
return AVERROR_INVALIDDATA; return AVERROR_INVALIDDATA;
} }
atom.size -= key_size;
key_size -= 8; key_size -= 8;
if (type != MKTAG('m','d','t','a')) { if (type != MKTAG('m','d','t','a')) {
avio_skip(pb, key_size); avio_skip(pb, key_size);