fix: reject extended size for all boxes but mdat

Author: tobbee

CHANGELOG.md

@@ -20,6 +20,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ### Fixed
 
 - duration is printed by `MdhdBox.Info()`
+- extended size usage only allowed for `mdat` boxes
 
 ## [0.50.0] - 2025-09-05
 

Makefile

@@ -34,7 +34,7 @@ open-docs:
 .PHONY: coverage
 coverage:
 	# Ignore (allow) packages without any tests
-	go test ./... -coverprofile coverage.out
+	go test -coverpkg=./... -coverprofile coverage.out ./...
 	go tool cover -html=coverage.out -o coverage.html
 	go tool cover -func coverage.out -o coverage.txt
 	tail -1 coverage.txt

mp4/box.go

@@ -214,6 +214,10 @@ func DecodeHeader(r io.Reader) (BoxHeader, error) {
 	headerLen := boxHeaderSize
 	switch size {
 	case 1: // size 1 means large size in next 8 bytes
+		boxType := string(buf[4:8])
+		if boxType != "mdat" {
+			return BoxHeader{}, fmt.Errorf("extended size not supported for box type %s", boxType)
+		}
 		buf := make([]byte, largeSizeLen)
 		_, err = io.ReadFull(r, buf)
 		if err != nil {

mp4/box_test.go

@@ -75,10 +75,15 @@ func TestDecodeHeader(t *testing.T) {
 			wantErr: true,
 		},
 		{
-			name:    "extended size with sufficient bytes",
-			data:    []byte{0x00, 0x00, 0x00, 0x01, 't', 'e', 's', 't', 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x20},
+			name:    "extended size with sufficient bytes for mdat",
+			data:    []byte{0x00, 0x00, 0x00, 0x01, 'm', 'd', 'a', 't', 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x20},
 			wantErr: false,
 		},
+		{
+			name:    "extended size rejected for non-mdat",
+			data:    []byte{0x00, 0x00, 0x00, 0x01, 't', 'e', 's', 't', 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x20},
+			wantErr: true,
+		},
 		{
 			name:    "zero size not supported",
 			data:    []byte{0x00, 0x00, 0x00, 0x00, 't', 'e', 's', 't'},

mp4/boxsr.go

@@ -186,6 +186,9 @@ func DecodeHeaderSR(sr bits.SliceReader) (BoxHeader, error) {
 	headerLen := boxHeaderSize
 	switch size {
 	case 1: // size 1 means large size in next 8 bytes
+		if boxType != "mdat" {
+			return BoxHeader{}, fmt.Errorf("extended size not supported for box type %s", boxType)
+		}
 		size = sr.ReadUint64()
 		headerLen += largeSizeLen
 	case 0: // size 0 means to end of file

mp4/boxsr_test.go

@@ -32,10 +32,15 @@ func TestDecodeHeaderSRInsufficientBytes(t *testing.T) {
 			wantErr: true,
 		},
 		{
-			name:    "extended size with sufficient bytes",
-			data:    []byte{0x00, 0x00, 0x00, 0x01, 't', 'e', 's', 't', 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x20},
+			name:    "extended size with sufficient bytes for mdat",
+			data:    []byte{0x00, 0x00, 0x00, 0x01, 'm', 'd', 'a', 't', 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x20},
 			wantErr: false,
 		},
+		{
+			name:    "extended size rejected for non-mdat",
+			data:    []byte{0x00, 0x00, 0x00, 0x01, 't', 'e', 's', 't', 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x20},
+			wantErr: true,
+		},
 		{
 			name:    "zero size not supported",
 			data:    []byte{0x00, 0x00, 0x00, 0x00, 't', 'e', 's', 't'},

mp4/senc.go

@@ -109,8 +109,8 @@ func (s *SencBox) ReadButNotParsed() bool {
 
 // DecodeSenc - box-specific decode
 func DecodeSenc(hdr BoxHeader, startPos uint64, r io.Reader) (Box, error) {
-	if hdr.Size < 16 {
-		return nil, fmt.Errorf("box size %d less than min size 16", hdr.Size)
+	if hdr.payloadLen() < 8 {
+		return nil, fmt.Errorf("payload size %d less than min size 8", hdr.payloadLen())
 	}
 	data, err := readBoxBody(r, hdr)
 	if err != nil {
@@ -125,10 +125,6 @@ func DecodeSenc(hdr BoxHeader, startPos uint64, r io.Reader) (Box, error) {
 	}
 	sampleCount := binary.BigEndian.Uint32(data[4:8])
 
-	if len(data) < 8 {
-		return nil, fmt.Errorf("senc: box size %d less than 16", hdr.Size)
-	}
-
 	senc := SencBox{
 		Version:          version,
 		rawData:          data[8:], // After the first 8 bytes of box content
@@ -140,8 +136,8 @@ func DecodeSenc(hdr BoxHeader, startPos uint64, r io.Reader) (Box, error) {
 	}
 
 	if flags&UseSubSampleEncryption != 0 && (len(senc.rawData) < 2*int(sampleCount)) {
-		return nil, fmt.Errorf("box size %d too small for %d samples and subSampleEncryption",
-			hdr.Size, sampleCount)
+		return nil, fmt.Errorf("payload size %d too small for %d samples and subSampleEncryption",
+			hdr.payloadLen(), sampleCount)
 	}
 
 	if senc.SampleCount == 0 || len(senc.rawData) == 0 {
@@ -153,9 +149,10 @@ func DecodeSenc(hdr BoxHeader, startPos uint64, r io.Reader) (Box, error) {
 
 // DecodeSencSR - box-specific decode
 func DecodeSencSR(hdr BoxHeader, startPos uint64, sr bits.SliceReader) (Box, error) {
-	if hdr.Size < 16 {
-		return nil, fmt.Errorf("box size %d less than min size 16", hdr.Size)
+	if hdr.payloadLen() < 8 {
+		return nil, fmt.Errorf("payload size %d less than min size 8", hdr.payloadLen())
 	}
+	payloadLen := uint64(hdr.payloadLen())
 
 	versionAndFlags := sr.ReadUint32()
 	version := byte(versionAndFlags >> 24)
@@ -165,14 +162,14 @@ func DecodeSencSR(hdr BoxHeader, startPos uint64, sr bits.SliceReader) (Box, err
 	flags := versionAndFlags & flagsMask
 	sampleCount := sr.ReadUint32()
 
-	if flags&UseSubSampleEncryption != 0 && ((hdr.Size - 16) < 2*uint64(sampleCount)) {
-		return nil, fmt.Errorf("box size %d too small for %d samples and subSampleEncryption",
-			hdr.Size, sampleCount)
+	if flags&UseSubSampleEncryption != 0 && ((payloadLen - 8) < 2*uint64(sampleCount)) {
+		return nil, fmt.Errorf("payload size %d too small for %d samples and subSampleEncryption",
+			hdr.payloadLen(), sampleCount)
 	}
 
 	senc := SencBox{
 		Version:          version,
-		rawData:          sr.ReadBytes(hdr.payloadLen() - 8), // After the first 8 bytes of box content
+		rawData:          sr.ReadBytes(int(payloadLen - 8)), // After the first 8 bytes of box content
 		Flags:            flags,
 		StartPos:         startPos,
 		SampleCount:      sampleCount,

mp4/senc_test.go

@@ -179,7 +179,7 @@ func TestBadSencData(t *testing.T) {
 		{
 			desc: "too short",
 			raw:  []byte{0x00, 0x00, 0x00, 0x0f, 's', 'e', 'n', 'c', 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
-			err:  "decode senc pos 0: box size 15 less than min size 16",
+			err:  "decode senc pos 0: payload size 7 less than min size 8",
 		},
 		{
 			desc: "v1 not supported",
@@ -189,7 +189,12 @@ func TestBadSencData(t *testing.T) {
 		{
 			desc: "too short for subsample encryption",
 			raw:  []byte{0x00, 0x00, 0x00, 0x10, 's', 'e', 'n', 'c', 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0xff},
-			err:  "decode senc pos 0: box size 16 too small for 255 samples and subSampleEncryption",
+			err:  "decode senc pos 0: payload size 8 too small for 255 samples and subSampleEncryption",
+		},
+		{
+			desc: "extended size rejected for senc (issue 479)",
+			raw:  []byte{0x00, 0x00, 0x00, 0x01, 's', 'e', 'n', 'c', 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10},
+			err:  "extended size not supported for box type senc",
 		},
 	}