Commit f6effca9 authored by Sebastian Dröge's avatar Sebastian Dröge 🍵
Browse files

avidemux: Fix various out of bounds reads when parsing ncdt tags

https://bugzilla.gnome.org/show_bug.cgi?id=777500
parent 932dbeeb
...@@ -3897,6 +3897,7 @@ gst_avi_demux_parse_ncdt (GstAviDemux * avi, GstBuffer * buf, ...@@ -3897,6 +3897,7 @@ gst_avi_demux_parse_ncdt (GstAviDemux * avi, GstBuffer * buf,
tsize -= 4; tsize -= 4;
ptr += 4; ptr += 4;
left -= 4;
GST_DEBUG_OBJECT (avi, "sub-tag %u, size %u", sub_tag, sub_size); GST_DEBUG_OBJECT (avi, "sub-tag %u, size %u", sub_tag, sub_size);
/* http://www.sno.phy.queensu.ca/~phil/exiftool/TagNames/Nikon.html#NCTG /* http://www.sno.phy.queensu.ca/~phil/exiftool/TagNames/Nikon.html#NCTG
...@@ -3915,10 +3916,12 @@ gst_avi_demux_parse_ncdt (GstAviDemux * avi, GstBuffer * buf, ...@@ -3915,10 +3916,12 @@ gst_avi_demux_parse_ncdt (GstAviDemux * avi, GstBuffer * buf,
break; break;
case 0x13: /* CreationDate */ case 0x13: /* CreationDate */
type = GST_TAG_DATE_TIME; type = GST_TAG_DATE_TIME;
if (ptr[4] == ':') if (left > 7) {
ptr[4] = '-'; if (ptr[4] == ':')
if (ptr[7] == ':') ptr[4] = '-';
ptr[7] = '-'; if (ptr[7] == ':')
ptr[7] = '-';
}
break; break;
default: default:
type = NULL; type = NULL;
...@@ -3932,6 +3935,7 @@ gst_avi_demux_parse_ncdt (GstAviDemux * avi, GstBuffer * buf, ...@@ -3932,6 +3935,7 @@ gst_avi_demux_parse_ncdt (GstAviDemux * avi, GstBuffer * buf,
ptr += sub_size; ptr += sub_size;
tsize -= sub_size; tsize -= sub_size;
left -= sub_size;
} }
break; break;
default: default:
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment