Justin Chadwell authored Jul 14, 2020 and GStreamer Marge Bot committed Jul 15, 2020

Previously, the user input for stsd entries is trusted completely, and
so a maliciously crafted file could choose the length of the stsd
entries arbitrarily and cause qtdemux to try to allocate up to 2GB of
memory (half of a 32 bit max int).

This patch fixes this by sanity checking the stsd input against the
size of the entire stsd atom.

Part-of: <!670>