[PR #2014] [MERGED] fix: Skip moov box if buffer too small to verify mvhd #2816

New Issue

Open

opened 2026-01-29 17:24:03 +00:00 by claunia · 0 comments

claunia commented 2026-01-29 17:24:03 +00:00

Owner

Copy Link

📋 Pull Request Information

Original PR: https://github.com/CCExtractor/ccextractor/pull/2014
Author: @cfsmp3
Created: 1/10/2026
Status: ✅ Merged
Merged: 1/11/2026
Merged by: @cfsmp3

Base: master ← Head: fix/mp4-moov-mvhd-bounds-check

---

📝 Commits (1)

• 3bde3dc fix: Skip moov box if buffer too small to verify mvhd

📊 Changes

1 file changed (+12 additions, -8 deletions)

View changed files

📝 src/rust/src/demuxer/stream_functions.rs (+12 -8)

📄 Description

Summary

Follow-up to #1996. Fixes incorrect behavior where a "moov" box was accepted without verifying it contains "mvhd" when the buffer was too small.

The Problem

PR #1996 fixed a panic but introduced a logic error:

// Before #1996 - would panic if buffer too small
if idx == 2 && !(bytes == "mvhd") { continue; }

// After #1996 - accepts moov without verification if buffer too small!
if idx == 2 && position + 15 < buffer.len() && !(bytes == "mvhd") { continue; }

With the #1996 fix, if position + 15 >= buffer.len():

• The condition short-circuits
• The box is NOT skipped
• An unverified "moov" is accepted as valid

The Fix

if idx == 2 {
    if position + 16 > buffer.len() {
        continue;  // Can't verify mvhd - skip this box
    }
    if !(bytes == "mvhd") {
        continue;  // No mvhd - skip this box
    }
}

Now:

• If buffer too small → skip (safe)
• If moov has mvhd → accept (valid)
• If moov lacks mvhd → skip (invalid)

Why This Is Safe

This code runs in detect_stream_type - a one-shot format probe that reads up to 1MB. For format detection:

1. Skipping an unverifiable box is safer than accepting it
2. The scoring system requires multiple valid boxes to claim MP4
3. Real MP4 files have moov+mvhd well within the first 1MB

🤖 Generated with Claude Code

---

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/CCExtractor/ccextractor/pull/2014 **Author:** [@cfsmp3](https://github.com/cfsmp3) **Created:** 1/10/2026 **Status:** ✅ Merged **Merged:** 1/11/2026 **Merged by:** [@cfsmp3](https://github.com/cfsmp3) **Base:** `master` ← **Head:** `fix/mp4-moov-mvhd-bounds-check` --- ### 📝 Commits (1) - [`3bde3dc`](https://github.com/CCExtractor/ccextractor/commit/3bde3dceecc9c647a1191b2a2c40320c34e4d035) fix: Skip moov box if buffer too small to verify mvhd ### 📊 Changes **1 file changed** (+12 additions, -8 deletions) <details> <summary>View changed files</summary> 📝 `src/rust/src/demuxer/stream_functions.rs` (+12 -8) </details> ### 📄 Description ## Summary Follow-up to #1996. Fixes incorrect behavior where a "moov" box was accepted without verifying it contains "mvhd" when the buffer was too small. ## The Problem PR #1996 fixed a panic but introduced a logic error: ```rust // Before #1996 - would panic if buffer too small if idx == 2 && !(bytes == "mvhd") { continue; } // After #1996 - accepts moov without verification if buffer too small! if idx == 2 && position + 15 < buffer.len() && !(bytes == "mvhd") { continue; } ``` With the #1996 fix, if `position + 15 >= buffer.len()`: - The condition short-circuits - The box is NOT skipped - **An unverified "moov" is accepted as valid** ## The Fix ```rust if idx == 2 { if position + 16 > buffer.len() { continue; // Can't verify mvhd - skip this box } if !(bytes == "mvhd") { continue; // No mvhd - skip this box } } ``` Now: - If buffer too small → skip (safe) - If moov has mvhd → accept (valid) - If moov lacks mvhd → skip (invalid) ## Why This Is Safe This code runs in `detect_stream_type` - a one-shot format probe that reads up to 1MB. For format detection: 1. Skipping an unverifiable box is safer than accepting it 2. The scoring system requires multiple valid boxes to claim MP4 3. Real MP4 files have moov+mvhd well within the first 1MB 🤖 Generated with [Claude Code](https://claude.com/claude-code) --- _{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

claunia added the pull-request label 2026-01-29 17:24:03 +00:00

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

master

fix/input-scc-option

fix/palette-crate-fedora

pr-1782

fix/flutter-gui-v0.7.0-files

docs/changelog-upcoming

fix/goptime-and-startcredits-bugs

fix/bindgen-upgrade-1608

fix/tesseract-version-check-future-proof

fix/ccx-encoders-spupng-memory-safety

fix/freebsd-remarks

compatibility/xp

v0.96.5

v0.96.4

v0.96.3

v0.96.2

v0.96.1

v0.96

v0.94

v0.93

v0.92

v0.91

v0.90

v0.89

v0.88

v0.87

v0.86

v0.85b

v0.85

v0.84

v0.83

v0.82

v0.81

v0.80

v0.79

v0.78

v0.77

v0.76

v0.75

v0.74

v0.73

v0.72

v0.71

v0.70

Labels

Clear labels

bug

CEA-708

difficulty: easy

difficulty: hard

difficulty: medium

DTMB

DVB

enhancement

enhancement

Flutter GUI

GCI19

good-first-task

GSoC 2021

GSOC-2023

GSOC-2023

GSOC-2023

GSoC-related

Hacktoberfest

HardsubX

help wanted

invalid

JokerTV

Mac / OSX

more-info-needed

needs-commercial-sponsor

needs-commercial-sponsor

needs-commercial-sponsor

needs-confirmation-of-being-broken

OCR

pull-request

Mirrored from GitHub Pull Request

Python

regression

Rust

teletext

No Label pull-request

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

claunia

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/ccextractor#2816