aboutsummaryrefslogtreecommitdiffstats
path: root/libavformat/mov.c
diff options
context:
space:
mode:
authorEugene Zemtsov <eugene@chromium.org>2024-04-01 19:28:03 -0700
committerJames Almer <jamrial@gmail.com>2024-04-02 00:13:12 -0300
commit8a23a145d85964950123952d897b89c2c2b1b8c5 (patch)
tree97461e37c48d4e7289dcd9fcd82a1d9da3f31c4b /libavformat/mov.c
parent9d219ff149738a9a6e3ba8f075c032cc1a3554f7 (diff)
downloadffmpeg-8a23a145d85964950123952d897b89c2c2b1b8c5.tar.gz
avformat/mov: Check if a key is longer than the atom containing it
Stop reading keys and return AVERROR_INVALIDDATA if key_size is larger than the amount of space left in the atom. Bug: https://crbug.com/41496983 Signed-off-by: Eugene Zemtsov <eugene@chromium.org> Signed-off-by: James Almer <jamrial@gmail.com>
Diffstat (limited to 'libavformat/mov.c')
-rw-r--r--libavformat/mov.c3
1 files changed, 2 insertions, 1 deletions
diff --git a/libavformat/mov.c b/libavformat/mov.c
index 65faf58279..2b7ddc516c 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -5038,12 +5038,13 @@ static int mov_read_keys(MOVContext *c, AVIOContext *pb, MOVAtom atom)
for (i = 1; i <= count; ++i) {
uint32_t key_size = avio_rb32(pb);
uint32_t type = avio_rl32(pb);
- if (key_size < 8) {
+ if (key_size < 8 || key_size > atom.size) {
av_log(c->fc, AV_LOG_ERROR,
"The key# %"PRIu32" in meta has invalid size:"
"%"PRIu32"\n", i, key_size);
return AVERROR_INVALIDDATA;
}
+ atom.size -= key_size;
key_size -= 8;
if (type != MKTAG('m','d','t','a')) {
avio_skip(pb, key_size);