[vlc-commits] demux: mp4: check for overflows in PeekBoxHeader

Francois Cartegnie git at videolan.org
Fri Nov 4 19:54:00 CET 2016


vlc | branch: master | Francois Cartegnie <fcvlcdev at free.fr> | Fri Nov  4 19:51:53 2016 +0100| [54c152537b859adae7c8a9cee5bebae80622c06d] | committer: Francois Cartegnie

demux: mp4: check for overflows in PeekBoxHeader

refs #17584

> http://git.videolan.org/gitweb.cgi/vlc.git/?a=commit;h=54c152537b859adae7c8a9cee5bebae80622c06d
---

 modules/demux/mp4/libmp4.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/modules/demux/mp4/libmp4.c b/modules/demux/mp4/libmp4.c
index e16a795..dd6adf8 100644
--- a/modules/demux/mp4/libmp4.c
+++ b/modules/demux/mp4/libmp4.c
@@ -169,6 +169,8 @@ static int MP4_PeekBoxHeader( stream_t *p_stream, MP4_Box_t *p_box )
 
     if( p_box->i_shortsize == 1 )
     {
+        if( i_read < 16 )
+            return 0;
         /* get the true size on 64 bits */
         MP4_GET8BYTES( p_box->i_size );
     }
@@ -178,8 +180,13 @@ static int MP4_PeekBoxHeader( stream_t *p_stream, MP4_Box_t *p_box )
         /* XXX size of 0 means that the box extends to end of file */
     }
 
-    if( p_box->i_type == ATOM_uuid && i_read >= 16 )
+    if( UINT64_MAX - p_box->i_size < p_box->i_pos )
+        return 0;
+
+    if( p_box->i_type == ATOM_uuid )
     {
+        if( i_read < 16 )
+            return 0;
         /* get extented type on 16 bytes */
         GetUUID( &p_box->i_uuid, p_peek );
     }



More information about the vlc-commits mailing list