MOV: bail out to toplevel when encountering a trak or mdat chunk.

This patch fixes the sample from trac issue #733. The issue is that the size of the trak elements is coded too large, so that the next trak element would be parsed as part of the first and truncated incorrectly. Signed-off-by: Reimar Döffinger <Reimar.Doeffinger@gmx.de>
author: Reimar Döffinger <Reimar.Doeffinger@gmx.de> 2012-03-25 16:13:04 +0400
committer: Reimar Döffinger <Reimar.Doeffinger@gmx.de> 2012-03-31 14:37:42 +0400
commit: e0ad7f74c762fb303b1374bb53865c5639649b29 (patch)
tree: ffdb542402747297a22cbd222a6f06f0bdf2fa59 /libavformat/mov.c
parent: 2d54bbb9502442b84e19c5f424a566a35cf852c6 (diff)
1 files changed, 10 insertions, 0 deletions
diff --git a/libavformat/mov.c b/libavformat/mov.c
index 248620be68..372005c75f 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -319,6 +319,16 @@ static int mov_read_default(MOVContext *c, AVIOContext *pb, MOVAtom atom)
         if (atom.size >= 8) {
             a.size = avio_rb32(pb);
             a.type = avio_rl32(pb);
+            if (atom.type != MKTAG('r','o','o','t') &&
+                atom.type != MKTAG('m','o','o','v'))
+            {
+                if (a.type == MKTAG('t','r','a','k') || a.type == MKTAG('m','d','a','t'))
+                {
+                    av_log(c->fc, AV_LOG_ERROR, "Broken file, trak/mdat not at top-level\n");
+                    avio_skip(pb, -8);
+                    return 0;
+                }
+            }
             total_size += 8;
             if (a.size == 1) { /* 64 bit extended size */
                 a.size = avio_rb64(pb) - 8;
author	Reimar Döffinger <Reimar.Doeffinger@gmx.de>	2012-03-25 16:13:04 +0400
committer	Reimar Döffinger <Reimar.Doeffinger@gmx.de>	2012-03-31 14:37:42 +0400
commit	e0ad7f74c762fb303b1374bb53865c5639649b29 (patch)
tree	ffdb542402747297a22cbd222a6f06f0bdf2fa59 /libavformat/mov.c
parent	2d54bbb9502442b84e19c5f424a566a35cf852c6 (diff)