From 4da5ac2de4297433b4d168f59a2574af0379ee83 Mon Sep 17 00:00:00 2001
From: Urs Fleisch <ufleisch@users.sourceforge.net>
Date: Wed, 8 Apr 2026 20:53:59 +0200
Subject: [PATCH] Fix writing too many offsets when updating MP4 stco/co64
 atoms (#1332)

This will fix a DoS with a crafted MP4 file causing too many offsets
to be written when updating the stco or co64 tables in MP4 files.

Credits for the discovery of this bug go to Yuen Ying Ng (Ruth)
(Cyber Security Researcher at PwC Hong Kong).
---
 taglib/mp4/mp4tag.cpp | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/taglib/mp4/mp4tag.cpp b/taglib/mp4/mp4tag.cpp
index 1640cb05..abb8a935 100644
--- a/taglib/mp4/mp4tag.cpp
+++ b/taglib/mp4/mp4tag.cpp
@@ -200,7 +200,8 @@ MP4::Tag::updateOffsets(offset_t delta, offset_t offset)
       unsigned int count = data.toUInt();
       d->file->seek(atom->offset() + 16);
       unsigned int pos = 4;
-      while(count--) {
+      const unsigned int maxPos = data.size() - 4;
+      while(count-- && pos <= maxPos) {
         auto o = static_cast<offset_t>(data.toUInt(pos));
         if(o > offset) {
           o += delta;
@@ -220,7 +221,8 @@ MP4::Tag::updateOffsets(offset_t delta, offset_t offset)
       unsigned int count = data.toUInt();
       d->file->seek(atom->offset() + 16);
       unsigned int pos = 4;
-      while(count--) {
+      const unsigned int maxPos = data.size() - 8;
+      while(count-- && pos <= maxPos) {
         long long o = data.toLongLong(pos);
         if(o > offset) {
           o += delta;