[FFmpeg-devel] [PATCH] lavf/mov.c: Allocate buffer in case of long metadata entries.

Mon Oct 13 09:40:42 CEST 2014

Am 11.10.14 16:19, schrieb Nicolas George:
> [...]

all remarks applied.

-Thilo

-------------- next part --------------
>From 5a14ef97ffc7d82dea5644c736e6dc2de2079e89 Mon Sep 17 00:00:00 2001
From: Thilo Borgmann <thilo.borgmann at mail.de>
Date: Mon, 13 Oct 2014 09:36:17 +0200
Subject: [PATCH] lavf/mov.c: Allocate buffer in case of long metadata entries.

---
 libavformat/mov.c | 16 ++++++++++++----
 1 file changed, 12 insertions(+), 4 deletions(-)

diff --git a/libavformat/mov.c b/libavformat/mov.c
index 4ff46dd..8d6d074 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -261,7 +261,9 @@ static int mov_read_udta_string(MOVContext *c, AVIOContext *pb, MOVAtom atom)
 #ifdef MOV_EXPORT_ALL_METADATA
     char tmp_key[5];
 #endif
-    char str[1024], key2[16], language[4] = {0};
+    char str_small[1024], key2[16], language[4] = {0};
+    char *str = str_small;
+    char *pstr = NULL;
     const char *key = NULL;
     uint16_t langcode = 0;
     uint32_t data_type = 0, str_size;
@@ -358,13 +360,17 @@ static int mov_read_udta_string(MOVContext *c, AVIOContext *pb, MOVAtom atom)
     if (atom.size < 0)
         return AVERROR_INVALIDDATA;
 
-    str_size = FFMIN3(sizeof(str)-1, str_size, atom.size);
-
     if (parse)
         parse(c, pb, str_size, key);
     else {
+        if (str_size > sizeof(str_small)-1) { // allocate buffer for long data field
+            pstr = str = av_malloc(str_size);
+            if (!pstr)
+                return AVERROR(ENOMEM);
+        }
+
         if (data_type == 3 || (data_type == 0 && (langcode < 0x400 || langcode == 0x7fff))) { // MAC Encoded
-            mov_read_mac_string(c, pb, str_size, str, sizeof(str));
+            mov_read_mac_string(c, pb, str_size, str, str_size);
         } else {
             int ret = avio_read(pb, str, str_size);
             if (ret != str_size)
@@ -382,6 +388,8 @@ static int mov_read_udta_string(MOVContext *c, AVIOContext *pb, MOVAtom atom)
     av_dlog(c->fc, "tag \"%s\" value \"%s\" atom \"%.4s\" %d %"PRId64"\n",
             key, str, (char*)&atom.type, str_size, atom.size);
 
+    av_freep(&pstr);
+
     return 0;
 }
 
-- 
1.9.3 (Apple Git-50)

