From 9b028a50e1cc158f3756479cef7f5a55ec0f366b Mon Sep 17 00:00:00 2001
From: Vignesh Venkat <vigneshv@google.com>
Date: Tue, 30 Apr 2024 12:55:22 -0700
Subject: [PATCH] read.c: Use header size when parsing VisualSampleEntry

The current code uses avifROStreamRemainingBytes which is not
correct. We are inside a for loop where each loop is a box with
a fixed header size. So within each loop, we should not parse
more than that loop's header size.

Also return an error if there aren't enough bytes to parse
VisualSampleEntry.
---
 src/read.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/src/read.c b/src/read.c
index c06a4d32de..7d23766dd5 100644
--- a/src/read.c
+++ b/src/read.c
@@ -3259,8 +3259,12 @@ static avifResult avifParseSampleDescriptionBox(avifSampleTable * sampleTable,
             return AVIF_RESULT_OUT_OF_MEMORY;
         }
         memcpy(description->format, sampleEntryHeader.type, sizeof(description->format));
-        size_t remainingBytes = avifROStreamRemainingBytes(&s);
-        if ((avifGetCodecType(description->format) != AVIF_CODEC_TYPE_UNKNOWN) && (remainingBytes > VISUALSAMPLEENTRY_SIZE)) {
+        size_t remainingBytes = sampleEntryHeader.size;
+        if ((avifGetCodecType(description->format) != AVIF_CODEC_TYPE_UNKNOWN)) {
+            if (remainingBytes < VISUALSAMPLEENTRY_SIZE) {
+                avifDiagnosticsPrintf(diag, "Not enough bytes to parse VisualSampleEntry");
+                return AVIF_RESULT_BMFF_PARSE_FAILED;
+            }
             AVIF_CHECKRES(avifParseItemPropertyContainerBox(&description->properties,
                                                             rawOffset + avifROStreamOffset(&s) + VISUALSAMPLEENTRY_SIZE,
                                                             avifROStreamCurrent(&s) + VISUALSAMPLEENTRY_SIZE,