[vlc-commits] demux: libmp4: fix heap write ofw in chan (fix #12371)

Francois Cartegnie git at videolan.org
Fri Oct 10 00:01:57 CEST 2014 

vlc | branch: master | Francois Cartegnie <fcvlcdev at free.fr> | Thu Oct  9 23:56:16 2014 +0200| [16a51ea7647b568d5b4d4580106127cfe315ad33] | committer: Francois Cartegnie

demux: libmp4: fix heap write ofw in chan (fix #12371)

> http://git.videolan.org/gitweb.cgi/vlc.git/?a=commit;h=16a51ea7647b568d5b4d4580106127cfe315ad33
---

 modules/demux/mp4/libmp4.c |   13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/modules/demux/mp4/libmp4.c b/modules/demux/mp4/libmp4.c
index f0e4e73..17aae0d 100644
--- a/modules/demux/mp4/libmp4.c
+++ b/modules/demux/mp4/libmp4.c
@@ -1567,23 +1567,30 @@ static int MP4_ReadBox_stsdext_chan( stream_t *p_stream, MP4_Box_t *p_box )
     MP4_GET4BYTES( p_chan->layout.i_channels_layout_tag );
     MP4_GET4BYTES( p_chan->layout.i_channels_bitmap );
     MP4_GET4BYTES( p_chan->layout.i_channels_description_count );
-    if ( i_read < p_chan->layout.i_channels_description_count * 24 )
+
+    size_t i_descsize = 8 + 3 * sizeof(float);
+    if ( (size_t)i_read < p_chan->layout.i_channels_description_count * i_descsize )
         MP4_READBOX_EXIT( 0 );
 
     p_chan->layout.p_descriptions =
-        malloc( p_chan->layout.i_channels_description_count * 24 );
+        malloc( p_chan->layout.i_channels_description_count * i_descsize );
 
     if ( !p_chan->layout.p_descriptions )
         MP4_READBOX_EXIT( 0 );
 
-    for( uint32_t i=0; i<p_chan->layout.i_channels_description_count; i++ )
+    uint32_t i;
+    for( i=0; i<p_chan->layout.i_channels_description_count; i++ )
     {
+        if ( i_read < 20 )
+            break;
         MP4_GET4BYTES( p_chan->layout.p_descriptions[i].i_channel_label );
         MP4_GET4BYTES( p_chan->layout.p_descriptions[i].i_channel_flags );
         MP4_GET4BYTES( p_chan->layout.p_descriptions[i].f_coordinates[0] );
         MP4_GET4BYTES( p_chan->layout.p_descriptions[i].f_coordinates[1] );
         MP4_GET4BYTES( p_chan->layout.p_descriptions[i].f_coordinates[2] );
     }
+    if ( i<p_chan->layout.i_channels_description_count )
+        p_chan->layout.i_channels_description_count = i;
 
 #ifdef MP4_VERBOSE
     msg_Dbg( p_stream,

More information about the vlc-commits mailing list