Quoting Vittorio Giovara (2017-02-10 22:08:07) > From: Aaron Colwell <acolw...@google.com> > > Signed-off-by: James Almer <jamr...@gmail.com> > --- > libavformat/mov.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/libavformat/mov.c b/libavformat/mov.c > index 2810960..4a6f9c0 100644 > --- a/libavformat/mov.c > +++ b/libavformat/mov.c > @@ -3255,7 +3255,7 @@ static int mov_read_sv3d(MOVContext *c, AVIOContext > *pb, MOVAtom atom) > return 0; > } > avio_skip(pb, 4); /* version + flags */ > - avio_skip(pb, avio_r8(pb)); /* metadata_source */ > + avio_skip(pb, size - 12); /* metadata_source */ > > size = avio_rb32(pb); > if (size > atom.size) > @@ -3268,7 +3268,7 @@ static int mov_read_sv3d(MOVContext *c, AVIOContext > *pb, MOVAtom atom) > } > > size = avio_rb32(pb); > - if (size > atom.size) > + if (size <= 12 || size > atom.size) > return AVERROR_INVALIDDATA; > > tag = avio_rl32(pb); > -- > 2.10.0
The first hunk looks ok, but the second one is strange? Why specifically that check. I see a bunch of similar code in this function where similar checks might also make sense, yet one is added only here. -- Anton Khirnov _______________________________________________ libav-devel mailing list libav-devel@libav.org https://lists.libav.org/mailman/listinfo/libav-devel