qtdemux: prevent reading past avc1 atom when parsing

... when one of the subatoms has a large/invalid size.

Fixes #626609.

diff --git a/gst/qtdemux/qtdemux.c b/gst/qtdemux/qtdemux.c
index bfe68b02218f04b87550c1d6fd4f2b4acdcd457b..ce1e5abd9d7e11617d04756770ecebe432e1e106 100644 (file)
--- a/gst/qtdemux/qtdemux.c
+++ b/gst/qtdemux/qtdemux.c
@@ -5435,8 +5435,8 @@ qtdemux_parse_trak (GstQTDemux * qtdemux, GNode * trak)
                 break;
             }
 
-            len -= QT_UINT32 (avc_data);
-            avc_data += QT_UINT32 (avc_data);
+            len -= size + 8;
+            avc_data += size + 8;
           }
 
           break;