qtdemux: Check size of compressed MOOV header against available data

author Sebastian Dröge <sebastian@centricular.com>

Thu, 1 Dec 2016 12:29:21 +0000 (14:29 +0200)

committer Sebastian Dröge <sebastian@centricular.com>

Thu, 1 Dec 2016 12:29:21 +0000 (14:29 +0200)
author Sebastian Dröge <sebastian@centricular.com>
Thu, 1 Dec 2016 12:29:21 +0000 (14:29 +0200)
committer Sebastian Dröge <sebastian@centricular.com>
Thu, 1 Dec 2016 12:29:21 +0000 (14:29 +0200)
diff --git a/gst/isomp4/qtdemux.c b/gst/isomp4/qtdemux.c

index 1defb1e..2079937 100644 (file)
--- a/gst/isomp4/qtdemux.c
+++ b/gst/isomp4/qtdemux.c
@@ -6936,12 +6936,17 @@ qtdemux_parse_moov (GstQTDemux * qtdemux, const guint8 * buffer, guint length)
      guint32 method;
      GNode *dcom;
      GNode *cmvd;
+    guint32 dcom_len;
  
      dcom = qtdemux_tree_get_child_by_type (cmov, FOURCC_dcom);
      cmvd = qtdemux_tree_get_child_by_type (cmov, FOURCC_cmvd);
      if (dcom == NULL || cmvd == NULL)
        goto invalid_compression;
  
+    dcom_len = QT_UINT32 (dcom->data);
+    if (dcom_len < 12)
+      goto invalid_compression;
+
      method = QT_FOURCC ((guint8 *) dcom->data + 8);
      switch (method) {
  #ifdef HAVE_ZLIB
@@ -6949,9 +6954,14 @@ qtdemux_parse_moov (GstQTDemux * qtdemux, const guint8 * buffer, guint length)
          guint uncompressed_length;
          guint compressed_length;
          guint8 *buf;
+        guint32 cmvd_len;
+
+        cmvd_len = QT_UINT32 ((guint8 *) cmvd->data);
+        if (cmvd_len < 12)
+          goto invalid_compression;
  
          uncompressed_length = QT_UINT32 ((guint8 *) cmvd->data + 8);
-        compressed_length = QT_UINT32 ((guint8 *) cmvd->data + 4) - 12;
+        compressed_length = cmvd_len - 12;
          GST_LOG ("length = %u", uncompressed_length);
  
          buf =
author	Sebastian Dröge <sebastian@centricular.com>
	Thu, 1 Dec 2016 12:29:21 +0000 (14:29 +0200)
committer	Sebastian Dröge <sebastian@centricular.com>
	Thu, 1 Dec 2016 12:29:21 +0000 (14:29 +0200)