qtdemux: add len check for sound sample descriptions v1 and v2

https://bugzilla.gnome.org/show_bug.cgi?id=663458
This commit is contained in:
Youness Alaoui 2013-01-08 19:56:46 -05:00 committed by Tim-Philipp Müller
parent 629772f735
commit 6d3ff78575

View file

@ -7048,6 +7048,7 @@ qtdemux_parse_trak (GstQTDemux * qtdemux, GNode * trak)
gboolean amrwb = FALSE; gboolean amrwb = FALSE;
offset = 32; offset = 32;
/* sample description entry (16) + sound sample description v0 (20) */
if (len < 36) if (len < 36)
goto corrupt_file; goto corrupt_file;
@ -7131,6 +7132,10 @@ qtdemux_parse_trak (GstQTDemux * qtdemux, GNode * trak)
} }
if (version == 0x00010000) { if (version == 0x00010000) {
/* sample description entry (16) + sound sample description v1 (20+16) */
if (len < 52)
goto corrupt_file;
switch (fourcc) { switch (fourcc) {
case FOURCC_twos: case FOURCC_twos:
case FOURCC_sowt: case FOURCC_sowt:
@ -7169,6 +7174,10 @@ qtdemux_parse_trak (GstQTDemux * qtdemux, GNode * trak)
guint64 val; guint64 val;
} qtfp; } qtfp;
/* sample description entry (16) + sound sample description v2 (56) */
if (len < 72)
goto corrupt_file;
stream->samples_per_packet = QT_UINT32 (stsd_data + offset); stream->samples_per_packet = QT_UINT32 (stsd_data + offset);
qtfp.val = QT_UINT64 (stsd_data + offset + 4); qtfp.val = QT_UINT64 (stsd_data + offset + 4);
stream->rate = qtfp.fp; stream->rate = qtfp.fp;