diff options
author | Eugene Zemtsov <eugene@chromium.org> | 2024-04-01 19:28:03 -0700 |
---|---|---|
committer | James Almer <jamrial@gmail.com> | 2024-04-02 00:13:12 -0300 |
commit | 8a23a145d85964950123952d897b89c2c2b1b8c5 (patch) | |
tree | 97461e37c48d4e7289dcd9fcd82a1d9da3f31c4b /libavformat/mov.c | |
parent | 9d219ff149738a9a6e3ba8f075c032cc1a3554f7 (diff) | |
download | ffmpeg-8a23a145d85964950123952d897b89c2c2b1b8c5.tar.gz |
avformat/mov: Check if a key is longer than the atom containing it
Stop reading keys and return AVERROR_INVALIDDATA if key_size
is larger than the amount of space left in the atom.
Bug: https://crbug.com/41496983
Signed-off-by: Eugene Zemtsov <eugene@chromium.org>
Signed-off-by: James Almer <jamrial@gmail.com>
Diffstat (limited to 'libavformat/mov.c')
-rw-r--r-- | libavformat/mov.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/libavformat/mov.c b/libavformat/mov.c index 65faf58279..2b7ddc516c 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -5038,12 +5038,13 @@ static int mov_read_keys(MOVContext *c, AVIOContext *pb, MOVAtom atom) for (i = 1; i <= count; ++i) { uint32_t key_size = avio_rb32(pb); uint32_t type = avio_rl32(pb); - if (key_size < 8) { + if (key_size < 8 || key_size > atom.size) { av_log(c->fc, AV_LOG_ERROR, "The key# %"PRIu32" in meta has invalid size:" "%"PRIu32"\n", i, key_size); return AVERROR_INVALIDDATA; } + atom.size -= key_size; key_size -= 8; if (type != MKTAG('m','d','t','a')) { avio_skip(pb, key_size); |