avidemux: Fix various out of bounds reads when parsing ncdt tags

https://bugzilla.gnome.org/show_bug.cgi?id=777500

avidemux: Fix various out of bounds reads when parsing ncdt tags
https://bugzilla.gnome.org/show_bug.cgi?id=777500
32d9f3c1 · Sebastian Dröge · 1ffef8bf · 32d9f3c1
Commit 32d9f3c1 authored Jan 20, 2017 by Sebastian Dröge
Hide whitespace changes
Inline Side-by-side

Showing with 8 additions and 4 deletions

gst/avi/gstavidemux.c gst/avi/gstavidemux.c +8 -4

No files found.
--- a/gst/avi/gstavidemux.c
+++ b/gst/avi/gstavidemux.c
@@ -3912,6 +3912,7 @@ gst_avi_demux_parse_ncdt (GstAviDemux * avi, GstBuffer * buf,

          tsize -= 4;
          ptr += 4;
+          left -= 4;

          GST_DEBUG_OBJECT (avi, "sub-tag %u, size %u", sub_tag, sub_size);
          /* http://www.sno.phy.queensu.ca/~phil/exiftool/TagNames/Nikon.html#NCTG
@@ -3930,10 +3931,12 @@ gst_avi_demux_parse_ncdt (GstAviDemux * avi, GstBuffer * buf,
              break;
            case 0x13:         /* CreationDate */
              type = GST_TAG_DATE_TIME;
-              if (ptr[4] == ':')
-                ptr[4] = '-';
-              if (ptr[7] == ':')
-                ptr[7] = '-';
+              if (left > 7) {
+                if (ptr[4] == ':')
+                  ptr[4] = '-';
+                if (ptr[7] == ':')
+                  ptr[7] = '-';
+              }
              break;
            default:
              type = NULL;
@@ -3947,6 +3950,7 @@ gst_avi_demux_parse_ncdt (GstAviDemux * avi, GstBuffer * buf,

          ptr += sub_size;
          tsize -= sub_size;
+          left -= sub_size;
        }
        break;
      default: