From abaf91e428e597e0209fcbf156fd5fac8a16e658 Mon Sep 17 00:00:00 2001
From: Tim-Philipp Müller <tim.muller@collabora.co.uk>
Date: Thu, 20 Aug 2009 16:47:25 +0100
Subject: qtdemux: error out correctly if we don't even have enough bytes for
 an atom header

---
 gst/qtdemux/qtdemux.c | 18 ++++++++++++++----
 1 file changed, 14 insertions(+), 4 deletions(-)

diff --git a/gst/qtdemux/qtdemux.c b/gst/qtdemux/qtdemux.c
index 1dd054ad6..5193ca56b 100644
--- a/gst/qtdemux/qtdemux.c
+++ b/gst/qtdemux/qtdemux.c
@@ -3085,13 +3085,16 @@ static gboolean
 qtdemux_parse_node (GstQTDemux * qtdemux, GNode * node, const guint8 * buffer,
     guint length)
 {
-  guint32 fourcc;
-  guint32 node_length;
+  guint32 fourcc = 0;
+  guint32 node_length = 0;
   const QtNodeType *type;
   const guint8 *end;
 
   GST_LOG_OBJECT (qtdemux, "qtdemux_parse buffer %p length %u", buffer, length);
 
+  if (G_UNLIKELY (length < 8))
+    goto not_enough_data;
+
   node_length = QT_UINT32 (buffer);
   fourcc = QT_FOURCC (buffer + 4);
 
@@ -3108,7 +3111,7 @@ qtdemux_parse_node (GstQTDemux * qtdemux, GNode * node, const guint8 * buffer,
       GST_FOURCC_ARGS (fourcc), node_length, type->name);
 
   if (node_length > length)
-    goto broken_file;
+    goto broken_atom_size;
 
   if (type->flags & QT_FLAG_CONTAINER) {
     qtdemux_parse_container (qtdemux, node, buffer + 8, end);
@@ -3238,7 +3241,14 @@ qtdemux_parse_node (GstQTDemux * qtdemux, GNode * node, const guint8 * buffer,
   return TRUE;
 
 /* ERRORS */
-broken_file:
+not_enough_data:
+  {
+    GST_ELEMENT_ERROR (qtdemux, STREAM, DEMUX,
+        (_("This file is corrupt and cannot be played.")),
+        ("Not enough data for an atom header, got only %u bytes", length));
+    return FALSE;
+  }
+broken_atom_size:
   {
     GST_ELEMENT_ERROR (qtdemux, STREAM, DEMUX,
         (_("This file is corrupt and cannot be played.")),
-- 
cgit v1.2.3