From 767e8bf6687bc64620cef9c50966e09f8ec9cf0c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= Date: Tue, 2 Nov 2021 17:43:17 +0200 Subject: [PATCH] qtdemux: Parse ctts version Negative composition time offsets are only allowed with version 1 of the box, however we parse it as a signed value also for version 0 boxes as unfortunately there are such files out there and it's unlikely to have (valid) huge composition offsets. Part-of: --- subprojects/gst-plugins-good/gst/isomp4/qtdemux.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/subprojects/gst-plugins-good/gst/isomp4/qtdemux.c b/subprojects/gst-plugins-good/gst/isomp4/qtdemux.c index ccbc68b63d..c7a0fd058c 100644 --- a/subprojects/gst-plugins-good/gst/isomp4/qtdemux.c +++ b/subprojects/gst-plugins-good/gst/isomp4/qtdemux.c @@ -9368,12 +9368,17 @@ qtdemux_stbl_init (GstQTDemux * qtdemux, QtDemuxStream * stream, GNode * stbl) ! !qtdemux_tree_get_child_by_type_full (stbl, FOURCC_ctts, &stream->ctts) ? TRUE : FALSE) == TRUE) { GstByteReader cslg = GST_BYTE_READER_INIT (NULL, 0); + guint8 ctts_version; /* copy atom data into a new buffer for later use */ stream->ctts.data = g_memdup2 (stream->ctts.data, stream->ctts.size); - /* skip version + flags */ - if (!gst_byte_reader_skip (&stream->ctts, 1 + 3) + /* version 1 has signed offsets */ + if (!gst_byte_reader_get_uint8 (&stream->ctts, &ctts_version)) + goto corrupt_file; + + /* flags */ + if (!gst_byte_reader_skip (&stream->ctts, 3) || !gst_byte_reader_get_uint32_be (&stream->ctts, &stream->n_composition_times)) goto corrupt_file; @@ -9443,7 +9448,7 @@ qtdemux_stbl_init (GstQTDemux * qtdemux, QtDemuxStream * stream, GNode * stbl) } if (cslg_least < 0) - stream->cslg_shift = ABS (cslg_least); + stream->cslg_shift = -cslg_least; else stream->cslg_shift = 0;