avformat/mov: Check if a key is longer than the atom containing it

Stop reading keys and return AVERROR_INVALIDDATA if key_size
is larger than the amount of space left in the atom.

Bug: https://crbug.com/41496983
Signed-off-by: Eugene Zemtsov <eugene@chromium.org>
Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit 8a23a145d8)
This commit is contained in:
Eugene Zemtsov 2024-04-01 19:28:03 -07:00 committed by James Almer
parent 835453fbd8
commit cdd355e087
1 changed files with 2 additions and 1 deletions

View File

@ -4353,12 +4353,13 @@ static int mov_read_keys(MOVContext *c, AVIOContext *pb, MOVAtom atom)
for (i = 1; i <= count; ++i) { for (i = 1; i <= count; ++i) {
uint32_t key_size = avio_rb32(pb); uint32_t key_size = avio_rb32(pb);
uint32_t type = avio_rl32(pb); uint32_t type = avio_rl32(pb);
if (key_size < 8) { if (key_size < 8 || key_size > atom.size) {
av_log(c->fc, AV_LOG_ERROR, av_log(c->fc, AV_LOG_ERROR,
"The key# %"PRIu32" in meta has invalid size:" "The key# %"PRIu32" in meta has invalid size:"
"%"PRIu32"\n", i, key_size); "%"PRIu32"\n", i, key_size);
return AVERROR_INVALIDDATA; return AVERROR_INVALIDDATA;
} }
atom.size -= key_size;
key_size -= 8; key_size -= 8;
if (type != MKTAG('m','d','t','a')) { if (type != MKTAG('m','d','t','a')) {
avio_skip(pb, key_size); avio_skip(pb, key_size);