From cfe614787df3bf16be2ad01aa506881047c9a269 Mon Sep 17 00:00:00 2001 From: Derek Buitenhuis Date: Thu, 18 Mar 2021 15:26:54 +0000 Subject: [PATCH] avformat/mov: Fix extended atom size buffer length check When extended atom size support was added to probing in fec4a2d232d7ebf6d1084fb568d4d84844f25abc, the buffer size check was backwards, but probing continued to work because there was no minimum size check yet, so despite size being 1 on these atoms, and failing to read the 64-bit size, the tag was still correctly read. When 0b78016b2d7c36b32d07669c0c86bc4b4225ec98 introduced a minimum size check, this exposed the bug, and broke probing any files with extended atom sizes, such as entirely valid large files that start whith mdat atoms. Signed-off-by: Derek Buitenhuis (cherry picked from commit 85f397c828c8766d411d7bfc773c1241057e9d30) --- libavformat/mov.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index f9c4dbe5d4..aef5517c2c 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -7121,7 +7121,7 @@ static int mov_probe(const AVProbeData *p) if ((offset + 8) > (unsigned int)p->buf_size) break; size = AV_RB32(p->buf + offset); - if (size == 1 && offset + 16 > (unsigned int)p->buf_size) { + if (size == 1 && offset + 16 <= (unsigned int)p->buf_size) { size = AV_RB64(p->buf+offset + 8); minsize = 16; } else if (size == 0) {