mirror of
https://gitlab.freedesktop.org/gstreamer/gstreamer.git
synced 2024-12-20 23:36:38 +00:00
qtdemux: Fix out of bounds read in tag parsing code
We can't simply assume that the length of the tag value as given inside the stream is correct but should also check against the amount of data we have actually available. https://bugzilla.gnome.org/show_bug.cgi?id=775451
This commit is contained in:
parent
50e7096a86
commit
d0949baf3d
1 changed files with 2 additions and 2 deletions
|
@ -11767,7 +11767,7 @@ qtdemux_tag_add_str_full (GstQTDemux * qtdemux, GstTagList * taglist,
|
|||
} else {
|
||||
len = QT_UINT32 (node->data);
|
||||
type = QT_UINT32 ((guint8 *) node->data + 4);
|
||||
if ((type >> 24) == 0xa9) {
|
||||
if ((type >> 24) == 0xa9 && len > 8 + 4) {
|
||||
gint str_len;
|
||||
gint lang_code;
|
||||
|
||||
|
@ -11786,7 +11786,7 @@ qtdemux_tag_add_str_full (GstQTDemux * qtdemux, GstTagList * taglist,
|
|||
}
|
||||
|
||||
offset = 12;
|
||||
len = str_len + 8 + 4; /* remove trailing strings that we don't use */
|
||||
len = MIN (len, str_len + 8 + 4); /* remove trailing strings that we don't use */
|
||||
GST_DEBUG_OBJECT (qtdemux, "found international text tag");
|
||||
|
||||
if (lang_code < 0x800) { /* MAC encoded string */
|
||||
|
|
Loading…
Reference in a new issue