From 3ecb07c674ba56b035d68a0c1fe4d3e71c633da1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= Date: Sun, 4 May 2025 18:47:07 +0300 Subject: [PATCH] qtdemux: Don't parse invalid data from ISOBMFF AudioSampleEntryV1 The additional fields only exist in sound sample description v1, which is only defined for MOV. ISOBMFF has AudioSampleEntryV1 but it has the exact same layout as AudioSampleEntry. Part-of: --- subprojects/gst-plugins-good/gst/isomp4/qtdemux.c | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/subprojects/gst-plugins-good/gst/isomp4/qtdemux.c b/subprojects/gst-plugins-good/gst/isomp4/qtdemux.c index a76240b517..4fb0b37668 100644 --- a/subprojects/gst-plugins-good/gst/isomp4/qtdemux.c +++ b/subprojects/gst-plugins-good/gst/isomp4/qtdemux.c @@ -14507,6 +14507,7 @@ qtdemux_parse_trak (GstQTDemux * qtdemux, GNode * trak, guint32 * mvhd_matrix) QtDemuxStream *stream = NULL; const guint8 *stsd_data; + guint8 stsd_version; guint stsd_entry_count; guint stsd_index; guint16 lang_code; /* quicktime lang code or packed iso code */ @@ -14699,6 +14700,7 @@ qtdemux_parse_trak (GstQTDemux * qtdemux, GNode * trak, guint32 * mvhd_matrix) } } + stsd_version = QT_UINT8 (stsd_data + 8); stream->stsd_entries_length = stsd_entry_count = QT_UINT32 (stsd_data + 12); /* each stsd entry must contain at least 8 bytes */ if (stream->stsd_entries_length == 0 @@ -15912,7 +15914,14 @@ qtdemux_parse_trak (GstQTDemux * qtdemux, GNode * trak, guint32 * mvhd_matrix) offset = 36; - if (version == 0x00010000) { + /* This is only valid in MOV files. To distinguish this from the + * AudioSampleEntryV1 from ISOBMFF (which does not have the additional + * fields but instead the exact same layout as AudioSampleEntry), the + * latter requires a stsd of version 1 to be used. + * The same goes for version 2 below, for which no equivalent in ISOBMFF + * exists yet, fortunately + */ + if (version == 0x00010000 && stsd_version == 0) { /* sample description entry (16) + sound sample description v1 (20+16) */ if (len < 52) goto corrupt_file; @@ -15939,7 +15948,7 @@ qtdemux_parse_trak (GstQTDemux * qtdemux, GNode * trak, guint32 * mvhd_matrix) GST_LOG_OBJECT (qtdemux, "samples/frame: %d", entry->samples_per_frame); } - } else if (version == 0x00020000) { + } else if (version == 0x00020000 && stsd_version == 0) { /* sample description entry (16) + sound sample description v2 (56) */ if (len < 72) goto corrupt_file;