avidemux: Fix various out of bounds reads when parsing ncdt tags

https://bugzilla.gnome.org/show_bug.cgi?id=777500
This commit is contained in:
Sebastian Dröge 2017-01-20 07:58:26 +02:00
parent 1ffef8bf60
commit 32d9f3c158

View file

@ -3912,6 +3912,7 @@ gst_avi_demux_parse_ncdt (GstAviDemux * avi, GstBuffer * buf,
tsize -= 4;
ptr += 4;
left -= 4;
GST_DEBUG_OBJECT (avi, "sub-tag %u, size %u", sub_tag, sub_size);
/* http://www.sno.phy.queensu.ca/~phil/exiftool/TagNames/Nikon.html#NCTG
@ -3930,10 +3931,12 @@ gst_avi_demux_parse_ncdt (GstAviDemux * avi, GstBuffer * buf,
break;
case 0x13: /* CreationDate */
type = GST_TAG_DATE_TIME;
if (left > 7) {
if (ptr[4] == ':')
ptr[4] = '-';
if (ptr[7] == ':')
ptr[7] = '-';
}
break;
default:
type = NULL;
@ -3947,6 +3950,7 @@ gst_avi_demux_parse_ncdt (GstAviDemux * avi, GstBuffer * buf,
ptr += sub_size;
tsize -= sub_size;
left -= sub_size;
}
break;
default: