[vlc-commits] demux: mp4: fix buffer overflow in parsing of string boxes.
Fabian Yamaguchi
git at videolan.org
Mon Dec 8 13:11:56 CET 2014
vlc | branch: master | Fabian Yamaguchi <fyamagu at gwdg.de> | Fri Dec 5 13:52:42 2014 +0100| [2e7c7091a61aa5d07e7997b393d821e91f593c39] | committer: Jean-Baptiste Kempf
demux: mp4: fix buffer overflow in parsing of string boxes.
We ensure that pbox->i_size is never smaller than 8 to avoid an
integer underflow in the third argument of the subsequent call to
memcpy. We also make sure no truncation occurs when passing values
derived from the 64 bit integer p_box->i_size to arguments of malloc
and memcpy that may be 32 bit integers on 32 bit platforms.
Signed-off-by: Jean-Baptiste Kempf <jb at videolan.org>
> http://git.videolan.org/gitweb.cgi/vlc.git/?a=commit;h=2e7c7091a61aa5d07e7997b393d821e91f593c39
---
modules/demux/mp4/libmp4.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/modules/demux/mp4/libmp4.c b/modules/demux/mp4/libmp4.c
index 9429ff3..45b54c2 100644
--- a/modules/demux/mp4/libmp4.c
+++ b/modules/demux/mp4/libmp4.c
@@ -2858,6 +2858,9 @@ static int MP4_ReadBox_String( stream_t *p_stream, MP4_Box_t *p_box )
{
MP4_READBOX_ENTER( MP4_Box_data_string_t );
+ if( p_box->i_size < 8 || p_box->i_size > SIZE_MAX )
+ MP4_READBOX_EXIT( 0 );
+
p_box->data.p_string->psz_text = malloc( p_box->i_size + 1 - 8 ); /* +\0, -name, -size */
if( p_box->data.p_string->psz_text == NULL )
MP4_READBOX_EXIT( 0 );
More information about the vlc-commits
mailing list