From 6d3ff78575397ec714c7aa7d55ae86285a3efa85 Mon Sep 17 00:00:00 2001
From: Youness Alaoui <youness.alaoui@collabora.co.uk>
Date: Tue, 8 Jan 2013 19:56:46 -0500
Subject: [PATCH] qtdemux: add len check for sound sample descriptions v1 and
 v2

https://bugzilla.gnome.org/show_bug.cgi?id=663458
---
 gst/isomp4/qtdemux.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/gst/isomp4/qtdemux.c b/gst/isomp4/qtdemux.c
index 60349a614e..5332993d04 100644
--- a/gst/isomp4/qtdemux.c
+++ b/gst/isomp4/qtdemux.c
@@ -7048,6 +7048,7 @@ qtdemux_parse_trak (GstQTDemux * qtdemux, GNode * trak)
     gboolean amrwb = FALSE;
 
     offset = 32;
+    /* sample description entry (16) + sound sample description v0 (20) */
     if (len < 36)
       goto corrupt_file;
 
@@ -7131,6 +7132,10 @@ qtdemux_parse_trak (GstQTDemux * qtdemux, GNode * trak)
     }
 
     if (version == 0x00010000) {
+      /* sample description entry (16) + sound sample description v1 (20+16) */
+      if (len < 52)
+        goto corrupt_file;
+
       switch (fourcc) {
         case FOURCC_twos:
         case FOURCC_sowt:
@@ -7169,6 +7174,10 @@ qtdemux_parse_trak (GstQTDemux * qtdemux, GNode * trak)
         guint64 val;
       } qtfp;
 
+      /* sample description entry (16) + sound sample description v2 (56) */
+      if (len < 72)
+        goto corrupt_file;
+
       stream->samples_per_packet = QT_UINT32 (stsd_data + offset);
       qtfp.val = QT_UINT64 (stsd_data + offset + 4);
       stream->rate = qtfp.fp;