Google Git
Sign in
skia/external/github.com/AOMediaCodec/libavif/2be0ec98b735047d5b7dd285814e17fd61aff7a5^!/.
commit
2be0ec98b735047d5b7dd285814e17fd61aff7a5
[log]
author
Vignesh Venkat <vigneshv@google.com>
Tue Apr 30 12:55:22 2024 -0700
committer
Vignesh Venkatasubramanian <vigneshvg@users.noreply.github.com>
Tue Apr 30 13:59:52 2024 -0700
tree
e4478d4983fddab86eae95413baf68e695c64c42
parent
ab86c0c1b7015e568dd8eff5ce5fcfda439895c3 [diff]
read.c: Use header size when parsing VisualSampleEntry

The current code uses avifROStreamRemainingBytes which is not
correct. We are inside a for loop where each loop is a box with
a fixed header size. So within each loop, we should not parse
more than that loop's header size.

Also return an error if there aren't enough bytes to parse
VisualSampleEntry.

diff --git a/src/read.c b/src/read.c
index c06a4d3..7d23766 100644
--- a/src/read.c
+++ b/src/read.c

@@ -3259,8 +3259,12 @@
             return AVIF_RESULT_OUT_OF_MEMORY;
         }
         memcpy(description->format, sampleEntryHeader.type, sizeof(description->format));
-        size_t remainingBytes = avifROStreamRemainingBytes(&s);
-        if ((avifGetCodecType(description->format) != AVIF_CODEC_TYPE_UNKNOWN) && (remainingBytes > VISUALSAMPLEENTRY_SIZE)) {
+        size_t remainingBytes = sampleEntryHeader.size;
+        if ((avifGetCodecType(description->format) != AVIF_CODEC_TYPE_UNKNOWN)) {
+            if (remainingBytes < VISUALSAMPLEENTRY_SIZE) {
+                avifDiagnosticsPrintf(diag, "Not enough bytes to parse VisualSampleEntry");
+                return AVIF_RESULT_BMFF_PARSE_FAILED;
+            }
             AVIF_CHECKRES(avifParseItemPropertyContainerBox(&description->properties,
                                                             rawOffset + avifROStreamOffset(&s) + VISUALSAMPLEENTRY_SIZE,
                                                             avifROStreamCurrent(&s) + VISUALSAMPLEENTRY_SIZE,