aler9
commented
1 year ago This needs to be rethinked since mdat data is unmarshaled into a field.
Closed aler9 closed 1 year ago
aler9
commented
1 year ago This needs to be rethinked since mdat data is unmarshaled into a field.
sunfish-shogi
commented
1 year ago I created an issue: https://github.com/abema/go-mp4/issues/149 . I'm considering to add default maximum array length and the way to define individual limits for each box types (ex. mdat).
sunfish-shogi
commented
1 year ago @aler9 I created #150 I think this change prevents to allocate large memory which significantly exceeds file size.
@sunfish-shogi
Currently it's possible to exhaust available memory by inserting very large numbers into various size fields. This PR adds additional checks on a couple of size fields:
hdlr's name size, which is currently unchecked and is passed directly to make([]byte)
slice size, which is currently limited to 4.2GB, and is passed directly to make([]byte)
Both are now limited to 100KB. I'm not aware of any MP4 field whose content can exceed 100KB (excluding the content of mdat, which is not unmarshaled).