[vlc-commits] demux: mp4: fix mdat box reading
Francois Cartegnie
git at videolan.org
Mon Apr 14 21:17:47 CEST 2014
vlc | branch: master | Francois Cartegnie <fcvlcdev at free.fr> | Mon Apr 14 21:14:07 2014 +0200| [4c3f3f823d65396db79e98e0e117e9c6c4f4928b] | committer: Francois Cartegnie
demux: mp4: fix mdat box reading
> http://git.videolan.org/gitweb.cgi/vlc.git/?a=commit;h=4c3f3f823d65396db79e98e0e117e9c6c4f4928b
---
modules/demux/mp4/mp4.c | 16 ++++++++++++++--
1 file changed, 14 insertions(+), 2 deletions(-)
diff --git a/modules/demux/mp4/mp4.c b/modules/demux/mp4/mp4.c
index 52c31cd..5177d57 100644
--- a/modules/demux/mp4/mp4.c
+++ b/modules/demux/mp4/mp4.c
@@ -3771,11 +3771,16 @@ static int MP4_frg_GetChunk( demux_t *p_demux, MP4_Box_t *p_chunk, unsigned *i_t
if( !ret->p_sample_data )
return VLC_ENOMEM;
- uint32_t dur = 0, len;
+ uint32_t dur = 0, i_mdatlen = 0, len;
uint32_t chunk_duration = 0, chunk_size = 0;
/* Skip header of mdat */
- stream_Read( p_demux->s, NULL, 8 );
+ uint8_t mdat[8];
+ int i_read = stream_Read( p_demux->s, &mdat, 8 );
+ i_mdatlen = GetDWBE( mdat );
+ if ( i_read < 8 || i_mdatlen < 8 ||
+ VLC_FOURCC( mdat[4], mdat[5], mdat[6], mdat[7] ) != ATOM_mdat )
+ return VLC_EGENERIC;
for( uint32_t i = 0; i < ret->i_sample_count; i++)
{
@@ -3799,6 +3804,9 @@ static int MP4_frg_GetChunk( demux_t *p_demux, MP4_Box_t *p_chunk, unsigned *i_t
else
len = ret->p_sample_size[i] = default_size;
+ if ( chunk_size + len > ( i_mdatlen - 8 ) )
+ return VLC_EGENERIC;
+
ret->p_sample_data[i] = malloc( len );
if( ret->p_sample_data[i] == NULL )
return VLC_ENOMEM;
@@ -3814,6 +3822,10 @@ static int MP4_frg_GetChunk( demux_t *p_demux, MP4_Box_t *p_chunk, unsigned *i_t
p_track->fmt.i_cat == VIDEO_ES )
ReInitDecoder( p_demux, p_track );
+ /* Skip if we didn't reach the end of mdat box */
+ if ( chunk_size < (i_mdatlen - 8) )
+ stream_ReadU32( p_demux->s, NULL, i_mdatlen - chunk_size - 8 );
+
p_track->b_has_non_empty_cchunk = true;
return VLC_SUCCESS;
}
More information about the vlc-commits
mailing list