qtdemux: Fix out of bounds read in tag parsing code

We can't simply assume that the length of the tag value as given inside the stream is correct but should also check against the amount of data we have actually available. https://bugzilla.gnome.org/show_bug.cgi?id=775451
author: Sebastian Dröge <sebastian@centricular.com> 2016-12-01 13:32:22 +0200
committer: Sebastian Dröge <sebastian@centricular.com> 2016-12-01 13:32:22 +0200
commit: d0949baf3dadea6021d54abef6802fed5a06af75 (patch)
tree: 40fe296b2a707a1137f9986472bd40605d9bc454
parent: 50e7096a86ea120ca4b5b42294a8d80433803cc6 (diff)
1 files changed, 2 insertions, 2 deletions
diff --git a/gst/isomp4/qtdemux.c b/gst/isomp4/qtdemux.c
index c5ff799db..b1d2de876 100644
--- a/gst/isomp4/qtdemux.c
+++ b/gst/isomp4/qtdemux.c
@@ -11767,7 +11767,7 @@ qtdemux_tag_add_str_full (GstQTDemux * qtdemux, GstTagList * taglist,
   } else {
     len = QT_UINT32 (node->data);
     type = QT_UINT32 ((guint8 *) node->data + 4);
-    if ((type >> 24) == 0xa9) {
+    if ((type >> 24) == 0xa9 && len > 8 + 4) {
       gint str_len;
       gint lang_code;
 
@@ -11786,7 +11786,7 @@ qtdemux_tag_add_str_full (GstQTDemux * qtdemux, GstTagList * taglist,
       }
 
       offset = 12;
-      len = str_len + 8 + 4;    /* remove trailing strings that we don't use */
+      len = MIN (len, str_len + 8 + 4); /* remove trailing strings that we don't use */
       GST_DEBUG_OBJECT (qtdemux, "found international text tag");
 
       if (lang_code < 0x800) {  /* MAC encoded string */
author	Sebastian Dröge <sebastian@centricular.com>	2016-12-01 13:32:22 +0200
committer	Sebastian Dröge <sebastian@centricular.com>	2016-12-01 13:32:22 +0200
commit	d0949baf3dadea6021d54abef6802fed5a06af75 (patch)
tree	40fe296b2a707a1137f9986472bd40605d9bc454
parent	50e7096a86ea120ca4b5b42294a8d80433803cc6 (diff)