mirror/taglib
1
0
Fork 0
mirror of https://github.com/taglib/taglib.git synced 2026-04-12 17:09:50 -04:00
Code Issues Packages Projects Releases Wiki Activity

Fix writing too many offsets when updating MP4 stco/co64 atoms (#1332)

Browse Source 
This will fix a DoS with a crafted MP4 file causing too many offsets
to be written when updating the stco or co64 tables in MP4 files.

Credits for the discovery of this bug go to Yuen Ying Ng (Ruth)
(Cyber Security Researcher at PwC Hong Kong).
This commit is contained in:
Urs Fleisch
2026-04-08 20:53:59 +02:00
committed by GitHub
parent 193091fe2e
commit 4da5ac2de4
1 changed files with 4 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
taglib/mp4/mp4tag.cpp
View File

@ -200,7 +200,8 @@ MP4::Tag::updateOffsets(offset_t delta, offset_t offset)
unsigned int count = data.toUInt();
d->file->seek(atom->offset() + 16);
unsigned int pos = 4;
while(count--) {
const unsigned int maxPos = data.size() - 4;
while(count-- && pos <= maxPos) {
auto o = static_cast<offset_t>(data.toUInt(pos));
if(o > offset) {
o += delta;
@ -220,7 +221,8 @@ MP4::Tag::updateOffsets(offset_t delta, offset_t offset)
unsigned int count = data.toUInt();
d->file->seek(atom->offset() + 16);
unsigned int pos = 4;
while(count--) {
const unsigned int maxPos = data.size() - 8;
while(count-- && pos <= maxPos) {
long long o = data.toLongLong(pos);
if(o > offset) {
o += delta;