The metadata_source field is a null-terminated string, like other ISOBMFF
strings, not an 8-bit length followed by string characters. This patch
fixes the parsing code so it rejects svhd boxes that are too small and
skips to the end of the svhd box since we don't actually care about the
contents of the
metadata_source field.
From f63f65135e7059376acff3acc0e5268a8861d21d Mon Sep 17 00:00:00 2001
From: Aaron Colwell <acolw...@google.com>
Date: Fri, 27 Jan 2017 09:33:29 -0800
Subject: [PATCH] mov: Fix spherical metadata_source parsing.
The metadata_source field is a null-terminated string, like other ISOBMFF strings,
not an 8-bit length followed by string characters. This patch fixes the parsing
code so it rejects svhd boxes that are too small and skips to the end of the svhd
box since we don't actually care about the contents of the
metadata_source field.
---
libavformat/mov.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/libavformat/mov.c b/libavformat/mov.c
index 7dc550eb99..b1bfa0a35f 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -4566,7 +4566,7 @@ static int mov_read_sv3d(MOVContext *c, AVIOContext *pb, MOVAtom atom)
}
size = avio_rb32(pb);
- if (size > atom.size)
+ if (size <= 12 || size > atom.size)
return AVERROR_INVALIDDATA;
tag = avio_rl32(pb);
@@ -4575,7 +4575,7 @@ static int mov_read_sv3d(MOVContext *c, AVIOContext *pb, MOVAtom atom)
return 0;
}
avio_skip(pb, 4); /* version + flags */
- avio_skip(pb, avio_r8(pb)); /* metadata_source */
+ avio_skip(pb, size - 12); /* metadata_source */
size = avio_rb32(pb);
if (size > atom.size)
--
2.11.0.483.g087da7b7c-goog
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-devel
