qtdemux: avoid looping indefinitely in broken svq3 files

Abort if an atom with size 0 is read from within the svq3 stsd
atoms

https://bugzilla.gnome.org/show_bug.cgi?id=726512

diff --git a/gst/isomp4/qtdemux.c b/gst/isomp4/qtdemux.c
index 2824dca..7df6259 100644 (file)
--- a/gst/isomp4/qtdemux.c
+++ b/gst/isomp4/qtdemux.c
@@ -6914,6 +6914,12 @@ qtdemux_parse_svq3_stsd_data (GstQTDemux * qtdemux, GNode * stsd,
         fourcc = QT_FOURCC (stsd_data + 4);
         data = stsd_data + 8;
 
+        if (size == 0) {
+          GST_WARNING_OBJECT (qtdemux, "Atom of size 0 found, aborting "
+              "svq3 atom parsing");
+          goto end;
+        }
+
         switch (fourcc) {
           case FOURCC_gama:{
             if (size == 12) {