[vlc-commits] demux: mp4: esds heap buffer ofw (fix #17856)

Francois Cartegnie git at videolan.org
Mon Oct 31 21:16:48 CET 2016


vlc/vlc-2.2 | branch: master | Francois Cartegnie <fcvlcdev at free.fr> | Mon Oct 31 21:11:05 2016 +0100| [2fcaeb92a4948dd96e202667b889af491378f9fd] | committer: Francois Cartegnie

demux: mp4: esds heap buffer ofw (fix #17856)

cherry-picked from 7f6786ab6c8fb624726a63f07d79c23892827dfb

> http://git.videolan.org/gitweb.cgi/vlc/vlc-2.2.git/?a=commit;h=2fcaeb92a4948dd96e202667b889af491378f9fd
---

 modules/demux/mp4/libmp4.c | 19 ++++++++++---------
 1 file changed, 10 insertions(+), 9 deletions(-)

diff --git a/modules/demux/mp4/libmp4.c b/modules/demux/mp4/libmp4.c
index d05abe6..37efa35 100644
--- a/modules/demux/mp4/libmp4.c
+++ b/modules/demux/mp4/libmp4.c
@@ -1230,20 +1230,21 @@ static int MP4_ReadBox_esds( stream_t *p_stream, MP4_Box_t *p_box )
         {
             MP4_GET2BYTES( es_descriptor.i_depend_on_ES_ID );
         }
-        if( es_descriptor.b_url )
+        if( es_descriptor.b_url && i_read > 0 )
         {
-            unsigned int i_len;
+            uint8_t i_url;
 
-            MP4_GET1BYTE( i_len );
-            i_len = __MIN(i_read, i_len);
-            es_descriptor.psz_URL = malloc( i_len + 1 );
+            MP4_GET1BYTE( i_url );
+            if( i_url <= i_read )
+                MP4_READBOX_EXIT( 1 );
+            es_descriptor.psz_URL = malloc( (unsigned) i_url + 1 );
             if( es_descriptor.psz_URL )
             {
-                memcpy( es_descriptor.psz_URL, p_peek, i_len );
-                es_descriptor.psz_URL[i_len] = 0;
+                memcpy( es_descriptor.psz_URL, p_peek, i_url );
+                es_descriptor.psz_URL[i_url] = 0;
             }
-            p_peek += i_len;
-            i_read -= i_len;
+            p_peek += i_url;
+            i_read -= i_url;
         }
         else
         {



More information about the vlc-commits mailing list