This avoid a seek on some files that might accidentally have a
seemingly valid mfra offset
/Tomas
From 23f1ddc8ae4064f6d03efd54fb9da5ca9fc450ae Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tomas=20H=C3=A4rdin?= <g...@haerdin.se>
Date: Wed, 11 Dec 2024 14:56:31 +0100
Subject: [PATCH 3/6] lavf/mov: Parse and verify the whole mfro box
---
libavformat/mov.c | 22 +++++++++++++++++++++-
1 file changed, 21 insertions(+), 1 deletion(-)
diff --git a/libavformat/mov.c b/libavformat/mov.c
index 98a05e8411..58481747e4 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -10028,11 +10028,31 @@ static int mov_read_mfra(MOVContext *c, AVIOContext *f)
int64_t stream_size = avio_size(f);
int64_t original_pos = avio_tell(f);
int64_t seek_ret;
+ uint32_t mfro_size, mfro_version, mfro_flags;
int ret = -1;
- if ((seek_ret = avio_seek(f, stream_size - 4, SEEK_SET)) < 0) {
+
+ // be picky with the mfro box so we don't perform unnecessary seeks
+ if ((seek_ret = avio_seek(f, stream_size - 16, SEEK_SET)) < 0) {
ret = seek_ret;
goto fail;
}
+ if ((mfro_size = avio_rb32(f)) != 16) {
+ av_log(c->fc, AV_LOG_DEBUG, "incorrect mfro size: %u\n", mfro_size);
+ goto fail;
+ }
+ if (avio_rb32(f) != MKBETAG('m', 'f', 'r', 'o')) {
+ av_log(c->fc, AV_LOG_DEBUG, "no mfro box\n");
+ goto fail;
+ }
+ if ((mfro_version = avio_r8(f)) != 0) {
+ av_log(c->fc, AV_LOG_DEBUG, "unsupported mfro version: %u\n", mfro_version);
+ goto fail;
+ }
+ if ((mfro_flags = avio_rb24(f)) != 0) {
+ av_log(c->fc, AV_LOG_DEBUG, "incorrect mfro flags: %x\n", mfro_flags);
+ goto fail;
+ }
+
c->mfra_size = avio_rb32(f);
c->have_read_mfra_size = 1;
if (!c->mfra_size || c->mfra_size > stream_size) {
--
2.39.2
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
