[FFmpeg-devel] [PATCH] lavf/mov.c: Allocate buffer in case of long metadata entries.

Thilo Borgmann thilo.borgmann at mail.de
Sat Oct 11 16:13:24 CEST 2014 

Hi,

trying to fix ticket #4018.

Metadata in mov is silently truncated to 1023 bytes.
This patch allocated a buffer in case of entries found that exceed 1023 bytes.
Fixes ticket #4018 for me.

Maybe check str_size against an upper limit?

-Thilo
-------------- next part --------------
>From 365bec36b3b7f1925cfa2310d979a63ef8e3a7e8 Mon Sep 17 00:00:00 2001
From: Thilo Borgmann <thilo.borgmann at mail.de>
Date: Sat, 11 Oct 2014 16:09:07 +0200
Subject: [PATCH] lavf/mov.c: Allocate buffer in case of long metadata entries.

---
 libavformat/mov.c | 23 ++++++++++++++++-------
 1 file changed, 16 insertions(+), 7 deletions(-)

diff --git a/libavformat/mov.c b/libavformat/mov.c
index 4ff46dd..136b1d5 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -358,24 +358,33 @@ static int mov_read_udta_string(MOVContext *c, AVIOContext *pb, MOVAtom atom)
     if (atom.size < 0)
         return AVERROR_INVALIDDATA;
 
-    str_size = FFMIN3(sizeof(str)-1, str_size, atom.size);
-
     if (parse)
         parse(c, pb, str_size, key);
     else {
+        char *pstr = str;
+        if (str_size > sizeof(str)-1) { // allocate buffer for long data field
+            pstr = av_malloc(str_size);
+            if (!pstr)
+                return AVERROR(ENOMEM);
+        }
+
         if (data_type == 3 || (data_type == 0 && (langcode < 0x400 || langcode == 0x7fff))) { // MAC Encoded
-            mov_read_mac_string(c, pb, str_size, str, sizeof(str));
+            mov_read_mac_string(c, pb, str_size, pstr, str_size);
         } else {
-            int ret = avio_read(pb, str, str_size);
+            int ret = avio_read(pb, pstr, str_size);
             if (ret != str_size)
                 return ret < 0 ? ret : AVERROR_INVALIDDATA;
-            str[str_size] = 0;
+            pstr[str_size] = 0;
         }
         c->fc->event_flags |= AVFMT_EVENT_FLAG_METADATA_UPDATED;
-        av_dict_set(&c->fc->metadata, key, str, 0);
+        av_dict_set(&c->fc->metadata, key, pstr, 0);
         if (*language && strcmp(language, "und")) {
             snprintf(key2, sizeof(key2), "%s-%s", key, language);
-            av_dict_set(&c->fc->metadata, key2, str, 0);
+            av_dict_set(&c->fc->metadata, key2, pstr, 0);
+        }
+
+        if (str_size > sizeof(str)-1) { // free buffer for long data field
+            av_freep(&pstr);
         }
     }
     av_dlog(c->fc, "lang \"%3s\" ", language);
-- 
1.9.3 (Apple Git-50)

More information about the ffmpeg-devel mailing list