qtdemux: Check for invalid atom length when extracting Closed Caption data

Thanks to Antonio Morales for finding and reporting the issue.

Fixes GHSL-2024-243
Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3849

Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8060>

diff --git a/subprojects/gst-plugins-good/gst/isomp4/qtdemux.c b/subprojects/gst-plugins-good/gst/isomp4/qtdemux.c
index fa8a469a4c235e20754f1a3f496f7e467dd19d08..39b0b80dad3a19342a31d0d65254104c3fa73489 100644 (file)
--- a/subprojects/gst-plugins-good/gst/isomp4/qtdemux.c
+++ b/subprojects/gst-plugins-good/gst/isomp4/qtdemux.c
@@ -6193,7 +6193,7 @@ extract_cc_from_data (QtDemuxStream * stream, const guint8 * data, gsize size,
     goto invalid_cdat;
   atom_length = QT_UINT32 (data);
   fourcc = QT_FOURCC (data + 4);
-  if (G_UNLIKELY (atom_length > size || atom_length == 8))
+  if (G_UNLIKELY (atom_length > size || atom_length <= 8))
     goto invalid_cdat;
 
   GST_DEBUG_OBJECT (stream->pad, "here");