From: Niklesh <niklesh.lalw...@iitb.ac.in>
Signed-off-by: Niklesh <niklesh.lalw...@iitb.ac.in>
---
libavcodec/movtextdec.c | 20 +++++++++++++++++---
1 file changed, 17 insertions(+), 3 deletions(-)
diff --git a/libavcodec/movtextdec.c b/libavcodec/movtextdec.c
index 53ffef0..6ff02b3 100644
--- a/libavcodec/movtextdec.c
+++ b/libavcodec/movtextdec.c
@@ -96,7 +96,8 @@ static int mov_text_decode_frame(AVCodecContext *avctx,
char *ptr = avpkt->data;
char *end;
//char *ptr_temp;
- int text_length, tsmb_type, style_entries, tsmb_size, tracksize;
+ int text_length, tsmb_type, style_entries;
+ uint64_t tsmb_size, tracksize;
int **style_start = {0,};
int **style_end = {0,};
int **style_flags = {0,};
@@ -147,17 +148,30 @@ static int mov_text_decode_frame(AVCodecContext *avctx,
tsmb_type = AV_RB32(tsmb);
tsmb += 4;
+ if (tsmb_size == 1) {
+ if (tracksize + 16 > avpkt->size)
+ break;
+ tsmb_size = AV_RB64(tsmb);
+ tsmb += 8;
+ }
+
if (tracksize + tsmb_size > avpkt->size)
break;
if (tsmb_type == MKBETAG('s','t','y','l')) {
- if (tracksize + 10 > avpkt->size)
+ if (tsmb_size > 0xFFFFFFFF) {
+ if (tracksize + 18 > avpkt->size)
+ break;
+ } else if (tracksize + 10 > avpkt->size)
break;
style_entries = AV_RB16(tsmb);
tsmb += 2;
// A single style record is of length 12 bytes.
- if (tracksize + 10 + style_entries * 12 > avpkt->size)
+ if (tsmb_size > 0xFFFFFFFF) {
+ if (tracksize + 18 + style_entries * 12 > avpkt->size)
+ break;
+ } else if (tracksize + 10 + style_entries * 12 > avpkt->size)
break;
for(i = 0; i < style_entries; i++) {
--
1.9.1
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-devel
