[vlc-commits] demux: mp4: really fix unchecked reads

[Francois Cartegnie]

vlc | branch: master | Francois Cartegnie <fcvlcdev at free.fr> | Mon Jul  4 14:50:39 2016 +0200| [8ce05607bafeadc1f3a92d2965d7d4e5b2d0fc61] | committer: Francois Cartegnie

demux: mp4: really fix unchecked reads

> http://git.videolan.org/gitweb.cgi/vlc.git/?a=commit;h=8ce05607bafeadc1f3a92d2965d7d4e5b2d0fc61
---

 modules/demux/mp4/mp4.c |   13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

diff --git a/modules/demux/mp4/mp4.c b/modules/demux/mp4/mp4.c
index 4fb7f7c..a2e312d 100644
--- a/modules/demux/mp4/mp4.c
+++ b/modules/demux/mp4/mp4.c
@@ -1857,17 +1857,18 @@ static void LoadChapterApple( demux_t  *p_demux, mp4_track_t *tk )
             char p_buffer[256];
             const uint32_t i_read = stream_ReadU32( p_demux->s, p_buffer,
                                                     __MIN( sizeof(p_buffer), i_size ) );
-            const uint32_t i_len = __MIN( GetWBE(p_buffer), i_read-2 );
-
-            if( i_len > 0 )
+            if( i_read > 2 )
             {
+                const uint32_t i_string = __MIN( GetWBE(p_buffer), i_read-2 );
+                const char *psnz_string = &p_buffer[2];
+
                 seekpoint_t *s = vlc_seekpoint_New();
                 if( s == NULL ) continue;
 
-                if( !memcmp( &p_buffer[2], "\xFF\xFE", 2 ) )
-                    s->psz_name = FromCharset("UTF-16LE", &p_buffer[2], i_len);
+                if( i_string > 1 && !memcmp( psnz_string, "\xFF\xFE", 2 ) )
+                    s->psz_name = FromCharset( "UTF-16LE", psnz_string, i_string );
                 else
-                    s->psz_name = strndup( &p_buffer[2], i_len );
+                    s->psz_name = strndup( psnz_string, i_string );
 
                 if( s->psz_name == NULL )
                 {