On 1/27/2017 2:44 PM, Aaron Colwell wrote: > The metadata_source field is a null-terminated string, like other ISOBMFF > strings, not an 8-bit length followed by string characters. This patch > fixes the parsing code so it rejects svhd boxes that are too small and > skips to the end of the svhd box since we don't actually care about the > contents of the > metadata_source field. > > > 0001-mov-Fix-spherical-metadata_source-parsing.patch > > > From f63f65135e7059376acff3acc0e5268a8861d21d Mon Sep 17 00:00:00 2001 > From: Aaron Colwell <[email protected]> > Date: Fri, 27 Jan 2017 09:33:29 -0800 > Subject: [PATCH] mov: Fix spherical metadata_source parsing. > > The metadata_source field is a null-terminated string, like other ISOBMFF > strings, > not an 8-bit length followed by string characters. This patch fixes the > parsing > code so it rejects svhd boxes that are too small and skips to the end of the > svhd > box since we don't actually care about the contents of the > metadata_source field. > --- > libavformat/mov.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/libavformat/mov.c b/libavformat/mov.c > index 7dc550eb99..b1bfa0a35f 100644 > --- a/libavformat/mov.c > +++ b/libavformat/mov.c > @@ -4566,7 +4566,7 @@ static int mov_read_sv3d(MOVContext *c, AVIOContext > *pb, MOVAtom atom) > } > > size = avio_rb32(pb); > - if (size > atom.size) > + if (size <= 12 || size > atom.size) > return AVERROR_INVALIDDATA; > > tag = avio_rl32(pb); > @@ -4575,7 +4575,7 @@ static int mov_read_sv3d(MOVContext *c, AVIOContext > *pb, MOVAtom atom) > return 0; > } > avio_skip(pb, 4); /* version + flags */ > - avio_skip(pb, avio_r8(pb)); /* metadata_source */ > + avio_skip(pb, size - 12); /* metadata_source */ > > size = avio_rb32(pb); > if (size > atom.size) > -- 2.11.0.483.g087da7b7c-goog
Pushed, thanks. _______________________________________________ ffmpeg-devel mailing list [email protected] http://ffmpeg.org/mailman/listinfo/ffmpeg-devel
