Mercurial > libavformat.hg
comparison mov.c @ 3935:d30c8469093d libavformat
stop parsing if tag size is wrongly < 8 to avoid infinite loop
| author | bcoudurier |
|---|---|
| date | Wed, 24 Sep 2008 18:55:00 +0000 |
| parents | 4ab8a237c386 |
| children | 8bdecea89071 |
comparison
equal
deleted
inserted
replaced
| 3934:1aa5e41ceaef | 3935:d30c8469093d |
|---|---|
| 1377 while (url_ftell(pb) + 8 < end) { | 1377 while (url_ftell(pb) + 8 < end) { |
| 1378 uint32_t tag_size = get_be32(pb); | 1378 uint32_t tag_size = get_be32(pb); |
| 1379 uint32_t tag = get_le32(pb); | 1379 uint32_t tag = get_le32(pb); |
| 1380 uint64_t next = url_ftell(pb) + tag_size - 8; | 1380 uint64_t next = url_ftell(pb) + tag_size - 8; |
| 1381 | 1381 |
| 1382 if (next > end) // stop if tag_size is wrong | 1382 if (tag_size < 8 || next > end) // stop if tag_size is wrong |
| 1383 break; | 1383 break; |
| 1384 | 1384 |
| 1385 switch (tag) { | 1385 switch (tag) { |
| 1386 case MKTAG(0xa9,'n','a','m'): | 1386 case MKTAG(0xa9,'n','a','m'): |
| 1387 mov_parse_udta_string(pb, c->fc->title, sizeof(c->fc->title)); | 1387 mov_parse_udta_string(pb, c->fc->title, sizeof(c->fc->title)); |