Skip to content

Commit

Permalink
Credit to OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detai…
Browse files Browse the repository at this point in the history 
…l?id=51707

Resize buf to avoid buffer overflow.
  • Loading branch information
@kevinbackhouse @neheb
kevinbackhouse authored and neheb committed Sep 29, 2022
1 parent a94b020 commit a38e124
Showing 1 changed file with 8 additions and 3 deletions.
11 changes: 8 additions & 3 deletions src/quicktimevideo.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -797,13 +797,13 @@ void QuickTimeVideo::userDataDecoder(size_t size_external) {

const long bufMinSize = 100;
DataBuf buf(bufMinSize);
size_t size = 0, size_internal = size_external;
size_t size_internal = size_external;
std::memset(buf.data(), 0x0, buf.size());

while ((size_internal / 4 != 0) && (size_internal > 0)) {
buf.data()[4] = '\0';
io_->readOrThrow(buf.data(), 4);
size = buf.read_uint32(0, bigEndian);
const size_t size = buf.read_uint32(0, bigEndian);
if (size > size_internal)
break;
size_internal -= size;
Expand Down Expand Up @@ -845,8 +845,13 @@ void QuickTimeVideo::userDataDecoder(size_t size_external) {
}

else if (tv) {
const size_t tv_size = size - 12;
if (tv_size > buf.size()) {
enforce(tv_size <= io_->size() - io_->tell(), Exiv2::ErrorCode::kerCorruptedMetadata);
buf.resize(tv_size);
}
io_->readOrThrow(buf.data(), 4);
io_->readOrThrow(buf.data(), size - 12);
io_->readOrThrow(buf.data(), tv_size);
xmpData_[exvGettext(tv->label_)] = Exiv2::toString(buf.data());
}

Expand Down

0 comments on commit a38e124

Please sign in to comment.