From bf252f7f6fa9c79743242f3efdd30827c97407b4 Mon Sep 17 00:00:00 2001
From: Baptiste Coudurier <baptiste.coudurier@gmail.com>
Date: Tue, 3 Feb 2009 23:03:41 +0000
Subject: [PATCH] prevent reading more than container atom size, fix broken
 file broken_by_rev15830.MOV, fix #818

Originally committed as revision 16979 to svn://svn.ffmpeg.org/ffmpeg/trunk
---
 libavformat/mov.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/libavformat/mov.c b/libavformat/mov.c
index 5dd2acef8f..ba32ca7f13 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -1443,10 +1443,12 @@ static int mov_read_udta_string(MOVContext *c, ByteIOContext *pb, MOVAtom atom)
             get_be32(pb); // type
             get_be32(pb); // unknown
             str_size = data_size - 16;
+            atom.size -= 16;
         } else return 0;
     } else {
         str_size = get_be16(pb); // string length
         get_be16(pb); // language
+        atom.size -= 4;
     }
     switch (atom.type) {
     case MKTAG(0xa9,'n','a','m'):
@@ -1464,8 +1466,11 @@ static int mov_read_udta_string(MOVContext *c, ByteIOContext *pb, MOVAtom atom)
     }
     if (!str)
         return 0;
-    get_buffer(pb, str, FFMIN(size, str_size));
-    dprintf(c->fc, "%.4s %s\n", (char*)&atom.type, str);
+    if (atom.size < 0)
+        return -1;
+
+    get_buffer(pb, str, FFMIN3(size, str_size, atom.size));
+    dprintf(c->fc, "%.4s %s %d %lld\n", (char*)&atom.type, str, str_size, atom.size);
     return 0;
 }