[vlc-commits] demux: mp4: check for overflows in PeekBoxHeader

Francois Cartegnie git at videolan.org
Thu Nov 10 11:03:22 CET 2016


vlc/vlc-2.2 | branch: master | Francois Cartegnie <fcvlcdev at free.fr> | Fri Nov  4 19:51:53 2016 +0100| [bfe14f47b1814a364b201a7b6506b21de1cdda58] | committer: Francois Cartegnie

demux: mp4: check for overflows in PeekBoxHeader

refs #17584
cherry-picked from 8466176518508a3268ffe1272d998bcb2340e603

> http://git.videolan.org/gitweb.cgi/vlc/vlc-2.2.git/?a=commit;h=bfe14f47b1814a364b201a7b6506b21de1cdda58
---

 modules/demux/mp4/libmp4.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/modules/demux/mp4/libmp4.c b/modules/demux/mp4/libmp4.c
index 04469ef..7f992ba 100644
--- a/modules/demux/mp4/libmp4.c
+++ b/modules/demux/mp4/libmp4.c
@@ -105,6 +105,8 @@ int MP4_ReadBoxCommon( stream_t *p_stream, MP4_Box_t *p_box )
 
     if( p_box->i_shortsize == 1 )
     {
+        if( i_read < 8 )
+            return 0;
         /* get the true size on 64 bits */
         MP4_GET8BYTES( p_box->i_size );
     }
@@ -114,8 +116,13 @@ int MP4_ReadBoxCommon( stream_t *p_stream, MP4_Box_t *p_box )
         /* XXX size of 0 means that the box extends to end of file */
     }
 
-    if( p_box->i_type == ATOM_uuid && i_read >= 16 )
+    if( UINT64_MAX - p_box->i_size < p_box->i_pos )
+        return 0;
+
+    if( p_box->i_type == ATOM_uuid )
     {
+        if( i_read < 16 )
+            return 0;
         /* get extented type on 16 bytes */
         GetUUID( &p_box->i_uuid, p_peek );
     }



More information about the vlc-commits mailing list