I have done tracksize += 8 if there is a large box. This should account for
it?
On 20-May-2015 11:17 PM, "Philip Langdale" <phil...@overt.org> wrote:
> On 2015-05-20 07:40, Niklesh Lalwani wrote:
>
>> From: Niklesh <niklesh.lalw...@iitb.ac.in>
>>
>> This patch is to be applied over the previous patch to fix movtext
>> crashes (which is yet to be committed)
>> Signed-off-by: Niklesh <niklesh.lalw...@iitb.ac.in>
>> ---
>> libavcodec/movtextdec.c | 11 ++++++++++-
>> 1 file changed, 10 insertions(+), 1 deletion(-)
>>
>> diff --git a/libavcodec/movtextdec.c b/libavcodec/movtextdec.c
>> index 53ffef0..1a7c811 100644
>> --- a/libavcodec/movtextdec.c
>> +++ b/libavcodec/movtextdec.c
>> @@ -96,7 +96,8 @@ static int mov_text_decode_frame(AVCodecContext *avctx,
>> char *ptr = avpkt->data;
>> char *end;
>> //char *ptr_temp;
>> - int text_length, tsmb_type, style_entries, tsmb_size, tracksize;
>> + int text_length, tsmb_type, style_entries;
>> + uint64_t tsmb_size, tracksize;
>> int **style_start = {0,};
>> int **style_end = {0,};
>> int **style_flags = {0,};
>> @@ -147,6 +148,14 @@ static int mov_text_decode_frame(AVCodecContext
>> *avctx,
>> tsmb_type = AV_RB32(tsmb);
>> tsmb += 4;
>>
>> + if (tsmb_size == 1) {
>> + if (tracksize + 16 > avpkt->size)
>> + break;
>>
>
> You will need to adjust the "tracksize + 10" check for the style entry
> count as well.
>
> + tsmb_size = AV_RB64(tsmb);
>> + tsmb += 8;
>> + tracksize += 8;
>> + }
>> +
>> if (tracksize + tsmb_size > avpkt->size)
>> break;
>>
>
>
> --phil
> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel@ffmpeg.org
> http://ffmpeg.org/mailman/listinfo/ffmpeg-devel
>
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-devel
