[FFmpeg-cvslog] MOV: bail out to toplevel when encountering a trak or mdat chunk.
Reimar Döffinger
git at videolan.org
Sat Mar 31 12:38:03 CEST 2012
ffmpeg | branch: master | Reimar Döffinger <Reimar.Doeffinger at gmx.de> | Sun Mar 25 14:13:04 2012 +0200| [e0ad7f74c762fb303b1374bb53865c5639649b29] | committer: Reimar Döffinger
MOV: bail out to toplevel when encountering a trak or mdat chunk.
This patch fixes the sample from trac issue #733.
The issue is that the size of the trak elements is coded
too large, so that the next trak element would be parsed
as part of the first and truncated incorrectly.
Signed-off-by: Reimar Döffinger <Reimar.Doeffinger at gmx.de>
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=e0ad7f74c762fb303b1374bb53865c5639649b29
---
libavformat/mov.c | 10 ++++++++++
1 files changed, 10 insertions(+), 0 deletions(-)
diff --git a/libavformat/mov.c b/libavformat/mov.c
index 248620b..372005c 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -319,6 +319,16 @@ static int mov_read_default(MOVContext *c, AVIOContext *pb, MOVAtom atom)
if (atom.size >= 8) {
a.size = avio_rb32(pb);
a.type = avio_rl32(pb);
+ if (atom.type != MKTAG('r','o','o','t') &&
+ atom.type != MKTAG('m','o','o','v'))
+ {
+ if (a.type == MKTAG('t','r','a','k') || a.type == MKTAG('m','d','a','t'))
+ {
+ av_log(c->fc, AV_LOG_ERROR, "Broken file, trak/mdat not at top-level\n");
+ avio_skip(pb, -8);
+ return 0;
+ }
+ }
total_size += 8;
if (a.size == 1) { /* 64 bit extended size */
a.size = avio_rb64(pb) - 8;
More information about the ffmpeg-cvslog
mailing list