From 0df52e39933c2dbef07db48abc06871159b1f32f Mon Sep 17 00:00:00 2001 From: Urs Fleisch Date: Sat, 18 Apr 2026 19:46:55 +0200 Subject: [PATCH] Apply stco/co64 bounds fix from PR #1333 to MP4 chapter code The updateChunkOffsets() function in mp4qtchapterlist.cpp and mp4chapterlist.cpp is duplicated code from mp4tag.cpp and needs the patch from mp4tag.cpp too. --- taglib/mp4/mp4chapterlist.cpp | 6 ++++-- taglib/mp4/mp4qtchapterlist.cpp | 6 ++++-- 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/taglib/mp4/mp4chapterlist.cpp b/taglib/mp4/mp4chapterlist.cpp index 606de55b..5314e4fa 100644 --- a/taglib/mp4/mp4chapterlist.cpp +++ b/taglib/mp4/mp4chapterlist.cpp @@ -83,7 +83,8 @@ namespace unsigned int count = data.toUInt(); file->seek(atom->offset() + 16); unsigned int pos = 4; - while(count--) { + const unsigned int maxPos = data.size() - 4; + while(count-- && pos <= maxPos) { auto o = static_cast(data.toUInt(pos)); if(o > offset) o += delta; @@ -101,7 +102,8 @@ namespace unsigned int count = data.toUInt(); file->seek(atom->offset() + 16); unsigned int pos = 4; - while(count--) { + const unsigned int maxPos = data.size() - 8; + while(count-- && pos <= maxPos) { long long o = data.toLongLong(pos); if(o > offset) o += delta; diff --git a/taglib/mp4/mp4qtchapterlist.cpp b/taglib/mp4/mp4qtchapterlist.cpp index 3afc572a..ccdeccfb 100644 --- a/taglib/mp4/mp4qtchapterlist.cpp +++ b/taglib/mp4/mp4qtchapterlist.cpp @@ -95,7 +95,8 @@ namespace unsigned int count = data.toUInt(); file->seek(atom->offset() + 16); unsigned int pos = 4; - while(count--) { + const unsigned int maxPos = data.size() - 4; + while(count-- && pos <= maxPos) { auto o = static_cast(data.toUInt(pos)); if(o > offset) o += delta; @@ -113,7 +114,8 @@ namespace unsigned int count = data.toUInt(); file->seek(atom->offset() + 16); unsigned int pos = 4; - while(count--) { + const unsigned int maxPos = data.size() - 8; + while(count-- && pos <= maxPos) { long long o = data.toLongLong(pos); if(o > offset) o += delta;