mirror of https://git.ffmpeg.org/ffmpeg.git
avformat/mov: Check if a key is longer than the atom containing it
Stop reading keys and return AVERROR_INVALIDDATA if key_size
is larger than the amount of space left in the atom.
Bug: https://crbug.com/41496983
Signed-off-by: Eugene Zemtsov <eugene@chromium.org>
Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit 8a23a145d8
)
This commit is contained in:
parent
835453fbd8
commit
cdd355e087
|
@ -4353,12 +4353,13 @@ static int mov_read_keys(MOVContext *c, AVIOContext *pb, MOVAtom atom)
|
||||||
for (i = 1; i <= count; ++i) {
|
for (i = 1; i <= count; ++i) {
|
||||||
uint32_t key_size = avio_rb32(pb);
|
uint32_t key_size = avio_rb32(pb);
|
||||||
uint32_t type = avio_rl32(pb);
|
uint32_t type = avio_rl32(pb);
|
||||||
if (key_size < 8) {
|
if (key_size < 8 || key_size > atom.size) {
|
||||||
av_log(c->fc, AV_LOG_ERROR,
|
av_log(c->fc, AV_LOG_ERROR,
|
||||||
"The key# %"PRIu32" in meta has invalid size:"
|
"The key# %"PRIu32" in meta has invalid size:"
|
||||||
"%"PRIu32"\n", i, key_size);
|
"%"PRIu32"\n", i, key_size);
|
||||||
return AVERROR_INVALIDDATA;
|
return AVERROR_INVALIDDATA;
|
||||||
}
|
}
|
||||||
|
atom.size -= key_size;
|
||||||
key_size -= 8;
|
key_size -= 8;
|
||||||
if (type != MKTAG('m','d','t','a')) {
|
if (type != MKTAG('m','d','t','a')) {
|
||||||
avio_skip(pb, key_size);
|
avio_skip(pb, key_size);
|
||||||
|
|
Loading…
Reference in New Issue