From e0ad7f74c762fb303b1374bb53865c5639649b29 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Reimar=20D=C3=B6ffinger?= <Reimar.Doeffinger@gmx.de>
Date: Sun, 25 Mar 2012 14:13:04 +0200
Subject: [PATCH] MOV: bail out to toplevel when encountering a trak or mdat
 chunk.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This patch fixes the sample from trac issue #733.
The issue is that the size of the trak elements is coded
too large, so that the next trak element would be parsed
as part of the first and truncated incorrectly.

Signed-off-by: Reimar Döffinger <Reimar.Doeffinger@gmx.de>
---
 libavformat/mov.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/libavformat/mov.c b/libavformat/mov.c
index 248620be68..372005c75f 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -319,6 +319,16 @@ static int mov_read_default(MOVContext *c, AVIOContext *pb, MOVAtom atom)
         if (atom.size >= 8) {
             a.size = avio_rb32(pb);
             a.type = avio_rl32(pb);
+            if (atom.type != MKTAG('r','o','o','t') &&
+                atom.type != MKTAG('m','o','o','v'))
+            {
+                if (a.type == MKTAG('t','r','a','k') || a.type == MKTAG('m','d','a','t'))
+                {
+                    av_log(c->fc, AV_LOG_ERROR, "Broken file, trak/mdat not at top-level\n");
+                    avio_skip(pb, -8);
+                    return 0;
+                }
+            }
             total_size += 8;
             if (a.size == 1) { /* 64 bit extended size */
                 a.size = avio_rb64(pb) - 8;