mirrors/gstreamer
mirrors/gstreamer
1
1
Fork 0
mirror of https://gitlab.freedesktop.org/gstreamer/gstreamer.git synced 2024-12-19 06:46:38 +00:00
Code Issues 1 Projects Releases Wiki Activity

qtdemux: Fix out of bounds read in tag parsing code

Browse source 
We can't simply assume that the length of the tag value as given
inside the stream is correct but should also check against the amount of
data we have actually available.

https://bugzilla.gnome.org/show_bug.cgi?id=775451
This commit is contained in:
Sebastian Dröge 2016-12-01 13:32:22 +02:00
parent 50e7096a86
commit d0949baf3d
1 changed files with 2 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
gst/isomp4/qtdemux.c
View file

@ -11767,7 +11767,7 @@ qtdemux_tag_add_str_full (GstQTDemux * qtdemux, GstTagList * taglist,
} else { } else {
len = QT_UINT32 (node->data); len = QT_UINT32 (node->data);
type = QT_UINT32 ((guint8 *) node->data + 4); type = QT_UINT32 ((guint8 *) node->data + 4);
if ((type >> 24) == 0xa9) { if ((type >> 24) == 0xa9 && len > 8 + 4) {
gint str_len; gint str_len;
gint lang_code; gint lang_code;
@ -11786,7 +11786,7 @@ qtdemux_tag_add_str_full (GstQTDemux * qtdemux, GstTagList * taglist,
} }
offset = 12; offset = 12;
len = str_len + 8 + 4; /* remove trailing strings that we don't use */ len = MIN (len, str_len + 8 + 4); /* remove trailing strings that we don't use */
GST_DEBUG_OBJECT (qtdemux, "found international text tag"); GST_DEBUG_OBJECT (qtdemux, "found international text tag");
if (lang_code < 0x800) { /* MAC encoded string */ if (lang_code < 0x800) { /* MAC encoded string */