From 4e240985d8b856e62e4e0377283138cf51cc398e Mon Sep 17 00:00:00 2001
From: Baptiste Coudurier <baptiste.coudurier@gmail.com>
Date: Wed, 24 Sep 2008 18:55:00 +0000
Subject: [PATCH] stop parsing if tag size is wrongly < 8 to avoid infinite
 loop

Originally committed as revision 15401 to svn://svn.ffmpeg.org/ffmpeg/trunk
---
 libavformat/mov.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavformat/mov.c b/libavformat/mov.c
index aec9a9d3c4..c85301288c 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -1379,7 +1379,7 @@ static int mov_read_udta(MOVContext *c, ByteIOContext *pb, MOV_atom_t atom)
         uint32_t tag      = get_le32(pb);
         uint64_t next     = url_ftell(pb) + tag_size - 8;
 
-        if (next > end) // stop if tag_size is wrong
+        if (tag_size < 8 || next > end) // stop if tag_size is wrong
             break;
 
         switch (tag) {