Commit d0949baf authored by Sebastian Dröge's avatar Sebastian Dröge

qtdemux: Fix out of bounds read in tag parsing code

We can't simply assume that the length of the tag value as given
inside the stream is correct but should also check against the amount of
data we have actually available.

https://bugzilla.gnome.org/show_bug.cgi?id=775451
parent 50e7096a
......@@ -11767,7 +11767,7 @@ qtdemux_tag_add_str_full (GstQTDemux * qtdemux, GstTagList * taglist,
} else {
len = QT_UINT32 (node->data);
type = QT_UINT32 ((guint8 *) node->data + 4);
if ((type >> 24) == 0xa9) {
if ((type >> 24) == 0xa9 && len > 8 + 4) {
gint str_len;
gint lang_code;
......@@ -11786,7 +11786,7 @@ qtdemux_tag_add_str_full (GstQTDemux * qtdemux, GstTagList * taglist,
}
offset = 12;
len = str_len + 8 + 4; /* remove trailing strings that we don't use */
len = MIN (len, str_len + 8 + 4); /* remove trailing strings that we don't use */
GST_DEBUG_OBJECT (qtdemux, "found international text tag");
if (lang_code < 0x800) { /* MAC encoded string */
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment