From b80803943388050cb870c95934fc52feeffb94ac Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
Date: Sat, 3 May 2025 09:43:32 +0300
Subject: [PATCH] qtdemux: Check if enough bytes are available for each stsd
 entry

There must be at least 8 bytes for the length / fourcc of each entry. After
reading those, the length is already validated against the remaining available
bytes.

Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/4407
Fixes CVE-2025-47219

Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/9137>

CVE: CVE-2025-47219
Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/b80803943388050cb870c95934fc52feeffb94ac]
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
---
 gst/isomp4/qtdemux.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/gst/isomp4/qtdemux.c b/gst/isomp4/qtdemux.c
index 10b21a6..b40aa81 100644
--- a/gst/isomp4/qtdemux.c
+++ b/gst/isomp4/qtdemux.c
@@ -11399,6 +11399,10 @@ qtdemux_parse_trak (GstQTDemux * qtdemux, GNode * trak)
     gchar *codec = NULL;
     QtDemuxStreamStsdEntry *entry = &stream->stsd_entries[stsd_index];
 
+    /* needs at least length and fourcc */
+    if (remaining_stsd_len < 8)
+      goto corrupt_file;
+
     /* and that entry should fit within stsd */
     len = QT_UINT32 (stsd_entry_data);
     if (len > remaining_stsd_len)
-- 
2.50.1