From 49ddf2e0f5aa869a2fb3fbcf28c9b4dcc65fd2cc Mon Sep 17 00:00:00 2001
From: reimar <reimar@b3059339-0415-0410-9bf9-f77b7e298cf2>
Date: Fri, 11 Jul 2008 21:59:17 +0000
Subject: Add atom_len sanity check to mov demuxer. Fixes bug #1168

git-svn-id: svn://svn.mplayerhq.hu/mplayer/trunk@27264 b3059339-0415-0410-9bf9-f77b7e298cf2
---
 libmpdemux/demux_mov.c | 1 +
 1 file changed, 1 insertion(+)

(limited to 'libmpdemux/demux_mov.c')

diff --git a/libmpdemux/demux_mov.c b/libmpdemux/demux_mov.c
index 87fb5872be..4a3f3c8528 100644
--- a/libmpdemux/demux_mov.c
+++ b/libmpdemux/demux_mov.c
@@ -772,6 +772,7 @@ static int gen_sh_audio(sh_audio_t* sh, mov_track_t* trak, int timescale) {
 		}
 		if (trak->stdata_len >= 36 + adjust) {
 		    int atom_len = char2int(trak->stdata,28+adjust);
+		    if (atom_len < 0 || atom_len > trak->stdata_len - 28 - adjust) atom_len = trak->stdata_len - 28 - adjust;
 		    switch(char2int(trak->stdata,32+adjust)) { // atom type
 		      case MOV_FOURCC('e','s','d','s'): {
 			mp_msg(MSGT_DEMUX, MSGL_V, "MOV: Found MPEG4 audio Elementary Stream Descriptor atom (%d)!\n", atom_len);
-- 
cgit v1.2.3