[FFmpeg-devel] mov: Fix spherical metadata_source parsing.

Message ID	CAA0c1bBbzspMEr2BKCUV1p7=yahZpTAp-wsyWvwu31NLnL4+eQ@mail.gmail.com
State	New
Headers	show Delivered-To: ffmpegpatchwork@gmail.com Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; MIME-Version: 1.0 From: Aaron Colwell <acolwell-at-google.com@ffmpeg.org> Date: Fri, 27 Jan 2017 17:44:02 +0000 Message-ID: <CAA0c1bBbzspMEr2BKCUV1p7=yahZpTAp-wsyWvwu31NLnL4+eQ@mail.gmail.com> To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org> Content-Type: multipart/mixed; boundary=94eb2c0b7b0097f99c05471703d2 Subject: [FFmpeg-devel] [PATCH] mov: Fix spherical metadata_source parsing. Precedence: list Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org> Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>

Message ID

CAA0c1bBbzspMEr2BKCUV1p7=yahZpTAp-wsyWvwu31NLnL4+eQ@mail.gmail.com

State

New

Headers

Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
	designates 79.124.17.100 as permitted sender)
	client-ip=79.124.17.100; 
MIME-Version: 1.0
From: Aaron Colwell <acolwell-at-google.com@ffmpeg.org>
Date: Fri, 27 Jan 2017 17:44:02 +0000
Message-ID: <CAA0c1bBbzspMEr2BKCUV1p7=yahZpTAp-wsyWvwu31NLnL4+eQ@mail.gmail.com>
To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Content-Type: multipart/mixed; boundary=94eb2c0b7b0097f99c05471703d2
Subject: [FFmpeg-devel] [PATCH] mov: Fix spherical metadata_source parsing.
Precedence: list
Reply-To: FFmpeg development discussions and patches
	<ffmpeg-devel@ffmpeg.org>
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>

Commit Message

Aaron Colwell Jan. 27, 2017, 5:44 p.m. UTC

The metadata_source field is a null-terminated string, like other ISOBMFF
strings, not an 8-bit length followed by string characters. This patch
fixes the parsing code so it rejects svhd boxes that are too small and
skips to the end of the svhd box since we don't actually care about the
contents of the
metadata_source field.

Comments

James Almer Jan. 28, 2017, 1:53 a.m. UTC | #1

On 1/27/2017 2:44 PM, Aaron Colwell wrote:
> The metadata_source field is a null-terminated string, like other ISOBMFF
> strings, not an 8-bit length followed by string characters. This patch
> fixes the parsing code so it rejects svhd boxes that are too small and
> skips to the end of the svhd box since we don't actually care about the
> contents of the
> metadata_source field.
> 
> 
> 0001-mov-Fix-spherical-metadata_source-parsing.patch
> 
> 
> From f63f65135e7059376acff3acc0e5268a8861d21d Mon Sep 17 00:00:00 2001
> From: Aaron Colwell <acolwell@google.com>
> Date: Fri, 27 Jan 2017 09:33:29 -0800
> Subject: [PATCH] mov: Fix spherical metadata_source parsing.
> 
> The metadata_source field is a null-terminated string, like other ISOBMFF strings,
> not an 8-bit length followed by string characters. This patch fixes the parsing
> code so it rejects svhd boxes that are too small and skips to the end of the svhd
> box since we don't actually care about the contents of the
> metadata_source field.
> ---
>  libavformat/mov.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/libavformat/mov.c b/libavformat/mov.c
> index 7dc550eb99..b1bfa0a35f 100644
> --- a/libavformat/mov.c
> +++ b/libavformat/mov.c
> @@ -4566,7 +4566,7 @@ static int mov_read_sv3d(MOVContext *c, AVIOContext *pb, MOVAtom atom)
>      }
>  
>      size = avio_rb32(pb);
> -    if (size > atom.size)
> +    if (size <= 12 || size > atom.size)
>          return AVERROR_INVALIDDATA;
>  
>      tag = avio_rl32(pb);
> @@ -4575,7 +4575,7 @@ static int mov_read_sv3d(MOVContext *c, AVIOContext *pb, MOVAtom atom)
>          return 0;
>      }
>      avio_skip(pb, 4); /*  version + flags */
> -    avio_skip(pb, avio_r8(pb)); /* metadata_source */
> +    avio_skip(pb, size - 12); /* metadata_source */
>  
>      size = avio_rb32(pb);
>      if (size > atom.size)
> -- 2.11.0.483.g087da7b7c-goog

Pushed, thanks.

From f63f65135e7059376acff3acc0e5268a8861d21d Mon Sep 17 00:00:00 2001
From: Aaron Colwell <acolwell@google.com>
Date: Fri, 27 Jan 2017 09:33:29 -0800
Subject: [PATCH] mov: Fix spherical metadata_source parsing.

The metadata_source field is a null-terminated string, like other ISOBMFF strings,
not an 8-bit length followed by string characters. This patch fixes the parsing
code so it rejects svhd boxes that are too small and skips to the end of the svhd
box since we don't actually care about the contents of the
metadata_source field.
---
 libavformat/mov.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/libavformat/mov.c b/libavformat/mov.c
index 7dc550eb99..b1bfa0a35f 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -4566,7 +4566,7 @@  static int mov_read_sv3d(MOVContext *c, AVIOContext *pb, MOVAtom atom)
     }
 
     size = avio_rb32(pb);
-    if (size > atom.size)
+    if (size <= 12 || size > atom.size)
         return AVERROR_INVALIDDATA;
 
     tag = avio_rl32(pb);
@@ -4575,7 +4575,7 @@  static int mov_read_sv3d(MOVContext *c, AVIOContext *pb, MOVAtom atom)
         return 0;
     }
     avio_skip(pb, 4); /*  version + flags */
-    avio_skip(pb, avio_r8(pb)); /* metadata_source */
+    avio_skip(pb, size - 12); /* metadata_source */
 
     size = avio_rb32(pb);
     if (size > atom.size)
-- 
2.11.0.483.g087da7b7c-goog

[FFmpeg-devel] mov: Fix spherical metadata_source parsing.

Commit Message

Comments

Patch