From patchwork Fri Jan 27 17:44:02 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Aaron Colwell X-Patchwork-Id: 2338 Delivered-To: ffmpegpatchwork@gmail.com Received: by 10.103.89.21 with SMTP id n21csp356216vsb; Fri, 27 Jan 2017 09:51:00 -0800 (PST) X-Received: by 10.28.221.7 with SMTP id u7mr3995667wmg.33.1485539460046; Fri, 27 Jan 2017 09:51:00 -0800 (PST) Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id v21si6698503wra.330.2017.01.27.09.50.59; Fri, 27 Jan 2017 09:51:00 -0800 (PST) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@google.com; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 179E468A926; Fri, 27 Jan 2017 19:50:56 +0200 (EET) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from mail-yw0-f177.google.com (mail-yw0-f177.google.com [209.85.161.177]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 2134E68A899 for ; Fri, 27 Jan 2017 19:50:50 +0200 (EET) Received: by mail-yw0-f177.google.com with SMTP id l19so195814170ywc.2 for ; Fri, 27 Jan 2017 09:50:51 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=Q9Pk0ZeYjnLrSwVUs7xKp0XIsaphJSY28m9mVAEfiVM=; b=TtdIkMPJ3YgmMi3fNEM2cYXGYiLNGl6yEFYEqaN922S9wvJF/XxtYDWJcqo6uI0fYH VQHrCiMLMiIMXmn1SreYSvYTulrm2CFBh49cwnkm9kHcdkT82T1lZ+EtPEQISV5x1ekk YLShvmRasCmZAOJneffoB5SqBQiFBCh04E6I2jDnQ7czdSJOIQ0hOVuHxPJBGOWT2Dva MqBgUHmm6gxtrOeTWV8p5LhPj+vBDPpRbdaDfsJrXBsRF21uEm11lNBN2yD2zBnLZisQ POqweTczlzzsmJOl1Vx2oA+ydU8IjTO1SIbkcqOnzyGuK4x584ntJKMoyhF/HF5DI6x9 xoAQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=Q9Pk0ZeYjnLrSwVUs7xKp0XIsaphJSY28m9mVAEfiVM=; b=ZM4D2/WBePWgUFu3vrj022fvJQJWtj/VDEtltU2CerWm1+wPIFRHOxoAUnJWn24Yyw t+LUZneo1irRrfSIIWhcIrvn14GHGsjAs+SiDlunsBr8wIno7sIv1rlm8Ph570XnUaOk KXg+RUVNRnMV8+I0pxe/sZueFmwwoouZvtiwxXuLv28Qx6LSJkWritIk6BHVc9K101he 20Ijtiqy/CBvJS6FZQRvMK2ye39uNPeANHBGuyqR8hOsFaoXrQNQSFug1ckeCP6XKTCz gIz3djeBwR7fES2wO9Ar6nQCeyrBxiezc4oczxHlPusNNymlmyq3knMxpH6zUy9etAja kcWQ== X-Gm-Message-State: AIkVDXIMHbmBY2uHLnzmn6Z+GOHIFwCjykyD6m8eidfmJH7wQ3r7CpJE3vKzw8A7GICUPdg2hXOTqsYFZ0o/+f9m X-Received: by 10.129.156.87 with SMTP id t84mr7353553ywg.100.1485539053626; Fri, 27 Jan 2017 09:44:13 -0800 (PST) MIME-Version: 1.0 From: Aaron Colwell Date: Fri, 27 Jan 2017 17:44:02 +0000 Message-ID: To: FFmpeg development discussions and patches X-Content-Filtered-By: Mailman/MimeDel 2.1.20 Subject: [FFmpeg-devel] [PATCH] mov: Fix spherical metadata_source parsing. X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" The metadata_source field is a null-terminated string, like other ISOBMFF strings, not an 8-bit length followed by string characters. This patch fixes the parsing code so it rejects svhd boxes that are too small and skips to the end of the svhd box since we don't actually care about the contents of the metadata_source field. From f63f65135e7059376acff3acc0e5268a8861d21d Mon Sep 17 00:00:00 2001 From: Aaron Colwell Date: Fri, 27 Jan 2017 09:33:29 -0800 Subject: [PATCH] mov: Fix spherical metadata_source parsing. The metadata_source field is a null-terminated string, like other ISOBMFF strings, not an 8-bit length followed by string characters. This patch fixes the parsing code so it rejects svhd boxes that are too small and skips to the end of the svhd box since we don't actually care about the contents of the metadata_source field. --- libavformat/mov.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index 7dc550eb99..b1bfa0a35f 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -4566,7 +4566,7 @@ static int mov_read_sv3d(MOVContext *c, AVIOContext *pb, MOVAtom atom) } size = avio_rb32(pb); - if (size > atom.size) + if (size <= 12 || size > atom.size) return AVERROR_INVALIDDATA; tag = avio_rl32(pb); @@ -4575,7 +4575,7 @@ static int mov_read_sv3d(MOVContext *c, AVIOContext *pb, MOVAtom atom) return 0; } avio_skip(pb, 4); /* version + flags */ - avio_skip(pb, avio_r8(pb)); /* metadata_source */ + avio_skip(pb, size - 12); /* metadata_source */ size = avio_rb32(pb); if (size > atom.size) -- 2.11.0.483.g087da7b7c-goog