avidemux: Fix various out of bounds reads when parsing ncdt tags

https://bugzilla.gnome.org/show_bug.cgi?id=777500
This commit is contained in:
Sebastian Dröge 2017-01-20 07:58:26 +02:00
parent 1ffef8bf60
commit 32d9f3c158

View file

@ -3912,6 +3912,7 @@ gst_avi_demux_parse_ncdt (GstAviDemux * avi, GstBuffer * buf,
tsize -= 4; tsize -= 4;
ptr += 4; ptr += 4;
left -= 4;
GST_DEBUG_OBJECT (avi, "sub-tag %u, size %u", sub_tag, sub_size); GST_DEBUG_OBJECT (avi, "sub-tag %u, size %u", sub_tag, sub_size);
/* http://www.sno.phy.queensu.ca/~phil/exiftool/TagNames/Nikon.html#NCTG /* http://www.sno.phy.queensu.ca/~phil/exiftool/TagNames/Nikon.html#NCTG
@ -3930,10 +3931,12 @@ gst_avi_demux_parse_ncdt (GstAviDemux * avi, GstBuffer * buf,
break; break;
case 0x13: /* CreationDate */ case 0x13: /* CreationDate */
type = GST_TAG_DATE_TIME; type = GST_TAG_DATE_TIME;
if (ptr[4] == ':') if (left > 7) {
ptr[4] = '-'; if (ptr[4] == ':')
if (ptr[7] == ':') ptr[4] = '-';
ptr[7] = '-'; if (ptr[7] == ':')
ptr[7] = '-';
}
break; break;
default: default:
type = NULL; type = NULL;
@ -3947,6 +3950,7 @@ gst_avi_demux_parse_ncdt (GstAviDemux * avi, GstBuffer * buf,
ptr += sub_size; ptr += sub_size;
tsize -= sub_size; tsize -= sub_size;
left -= sub_size;
} }
break; break;
default: default: