aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorBaptiste Coudurier <baptiste.coudurier@gmail.com>2008-09-24 18:55:00 +0000
committerBaptiste Coudurier <baptiste.coudurier@gmail.com>2008-09-24 18:55:00 +0000
commit4e240985d8b856e62e4e0377283138cf51cc398e (patch)
tree8d3d0636e4c66aaf8ba082bf010a79035819867c
parentf2d65a6c8a0dba80a11236d17a499093788b12d3 (diff)
downloadffmpeg-4e240985d8b856e62e4e0377283138cf51cc398e.tar.gz
stop parsing if tag size is wrongly < 8 to avoid infinite loop
Originally committed as revision 15401 to svn://svn.ffmpeg.org/ffmpeg/trunk
-rw-r--r--libavformat/mov.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/libavformat/mov.c b/libavformat/mov.c
index aec9a9d3c4..c85301288c 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -1379,7 +1379,7 @@ static int mov_read_udta(MOVContext *c, ByteIOContext *pb, MOV_atom_t atom)
uint32_t tag = get_le32(pb);
uint64_t next = url_ftell(pb) + tag_size - 8;
- if (next > end) // stop if tag_size is wrong
+ if (tag_size < 8 || next > end) // stop if tag_size is wrong
break;
switch (tag) {