From aaac6c29d215dc4f36d7bec8e88466f83a234b5e Mon Sep 17 00:00:00 2001
From: Baptiste Coudurier <baptiste.coudurier@gmail.com>
Date: Wed, 12 Sep 2007 10:18:01 +0000
Subject: [PATCH] stop parsing udta if size is wrong/garbage, fix issue 154,
 fix RQ004F14.MOV

Originally committed as revision 10481 to svn://svn.ffmpeg.org/ffmpeg/trunk
---
 libavformat/mov.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/libavformat/mov.c b/libavformat/mov.c
index 68c81dede4d..c9de693df0b 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -1060,6 +1060,9 @@ static int mov_read_udta(MOVContext *c, ByteIOContext *pb, MOV_atom_t atom)
         uint32_t tag      = get_le32(pb);
         uint64_t next     = url_ftell(pb) + tag_size - 8;
 
+        if (next > end) // stop if tag_size is wrong
+            break;
+
         switch (tag) {
         case MKTAG(0xa9,'n','a','m'):
             mov_parse_udta_string(pb, c->fc->title,     sizeof(c->fc->title));
-- 
GitLab