From 32d9f3c158b58984be7731434df619131c0736f7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= Date: Fri, 20 Jan 2017 07:58:26 +0200 Subject: [PATCH] avidemux: Fix various out of bounds reads when parsing ncdt tags https://bugzilla.gnome.org/show_bug.cgi?id=777500 --- gst/avi/gstavidemux.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/gst/avi/gstavidemux.c b/gst/avi/gstavidemux.c index 4475576000..d7afd1e710 100644 --- a/gst/avi/gstavidemux.c +++ b/gst/avi/gstavidemux.c @@ -3912,6 +3912,7 @@ gst_avi_demux_parse_ncdt (GstAviDemux * avi, GstBuffer * buf, tsize -= 4; ptr += 4; + left -= 4; GST_DEBUG_OBJECT (avi, "sub-tag %u, size %u", sub_tag, sub_size); /* http://www.sno.phy.queensu.ca/~phil/exiftool/TagNames/Nikon.html#NCTG @@ -3930,10 +3931,12 @@ gst_avi_demux_parse_ncdt (GstAviDemux * avi, GstBuffer * buf, break; case 0x13: /* CreationDate */ type = GST_TAG_DATE_TIME; - if (ptr[4] == ':') - ptr[4] = '-'; - if (ptr[7] == ':') - ptr[7] = '-'; + if (left > 7) { + if (ptr[4] == ':') + ptr[4] = '-'; + if (ptr[7] == ':') + ptr[7] = '-'; + } break; default: type = NULL; @@ -3947,6 +3950,7 @@ gst_avi_demux_parse_ncdt (GstAviDemux * avi, GstBuffer * buf, ptr += sub_size; tsize -= sub_size; + left -= sub_size; } break; default: