[FFmpeg-cvslog] r16979 - trunk/libavformat/mov.c
bcoudurier
subversion
Wed Feb 4 00:03:41 CET 2009
Author: bcoudurier
Date: Wed Feb 4 00:03:41 2009
New Revision: 16979
Log:
prevent reading more than container atom size, fix broken file broken_by_rev15830.MOV, fix #818
Modified:
trunk/libavformat/mov.c
Modified: trunk/libavformat/mov.c
==============================================================================
--- trunk/libavformat/mov.c Tue Feb 3 23:59:47 2009 (r16978)
+++ trunk/libavformat/mov.c Wed Feb 4 00:03:41 2009 (r16979)
@@ -1443,10 +1443,12 @@ static int mov_read_udta_string(MOVConte
get_be32(pb); // type
get_be32(pb); // unknown
str_size = data_size - 16;
+ atom.size -= 16;
} else return 0;
} else {
str_size = get_be16(pb); // string length
get_be16(pb); // language
+ atom.size -= 4;
}
switch (atom.type) {
case MKTAG(0xa9,'n','a','m'):
@@ -1464,8 +1466,11 @@ static int mov_read_udta_string(MOVConte
}
if (!str)
return 0;
- get_buffer(pb, str, FFMIN(size, str_size));
- dprintf(c->fc, "%.4s %s\n", (char*)&atom.type, str);
+ if (atom.size < 0)
+ return -1;
+
+ get_buffer(pb, str, FFMIN3(size, str_size, atom.size));
+ dprintf(c->fc, "%.4s %s %d %lld\n", (char*)&atom.type, str, str_size, atom.size);
return 0;
}
More information about the ffmpeg-cvslog
mailing list