MOV: bail out to toplevel when encountering a trak or mdat chunk.

This patch fixes the sample from trac issue #733.
The issue is that the size of the trak elements is coded
too large, so that the next trak element would be parsed
as part of the first and truncated incorrectly.

Signed-off-by: Reimar Döffinger <Reimar.Doeffinger@gmx.de>

1 files changed, 10 insertions, 0 deletions

diff --git a/libavformat/mov.c b/libavformat/mov.c
index 248620be68..372005c75f 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -319,6 +319,16 @@ static int mov_read_default(MOVContext *c, AVIOContext *pb, MOVAtom atom)
         if (atom.size >= 8) {
             a.size = avio_rb32(pb);
             a.type = avio_rl32(pb);
+            if (atom.type != MKTAG('r','o','o','t') &&
+                atom.type != MKTAG('m','o','o','v'))
+            {
+                if (a.type == MKTAG('t','r','a','k') || a.type == MKTAG('m','d','a','t'))
+                {
+                    av_log(c->fc, AV_LOG_ERROR, "Broken file, trak/mdat not at top-level\n");
+                    avio_skip(pb, -8);
+                    return 0;
+                }
+            }
             total_size += 8;
             if (a.size == 1) { /* 64 bit extended size */
                 a.size = avio_rb64(pb) - 8;