[vlc-commits] mp4: fix potential pointer overflow
Rémi Denis-Courmont
git at videolan.org
Fri Nov 24 20:54:36 CET 2017
vlc | branch: master | Rémi Denis-Courmont <remi at remlab.net> | Fri Nov 24 19:01:53 2017 +0200| [794b54c8fb52ec0d2cdbadae92b0226f8fafd799] | committer: Rémi Denis-Courmont
mp4: fix potential pointer overflow
p_peek could go out-of-range, UB.
> http://git.videolan.org/gitweb.cgi/vlc.git/?a=commit;h=794b54c8fb52ec0d2cdbadae92b0226f8fafd799
---
modules/demux/mp4/libmp4.c | 12 +++++++-----
1 file changed, 7 insertions(+), 5 deletions(-)
diff --git a/modules/demux/mp4/libmp4.c b/modules/demux/mp4/libmp4.c
index 29541c72c9..b5e5a0598b 100644
--- a/modules/demux/mp4/libmp4.c
+++ b/modules/demux/mp4/libmp4.c
@@ -566,19 +566,21 @@ static int MP4_ReadBoxContainer( stream_t *p_stream, MP4_Box_t *p_container )
static int MP4_ReadBoxSkip( stream_t *p_stream, MP4_Box_t *p_box )
{
- /* XXX sometime moov is hiden in a free box */
+ /* XXX sometime moov is hidden in a free box */
if( p_box->p_father &&
p_box->p_father->i_type == ATOM_root &&
p_box->i_type == ATOM_free )
{
const uint8_t *p_peek;
- int i_read;
+ size_t header_size = mp4_box_headersize( p_box ) + 4;
vlc_fourcc_t i_fcc;
- i_read = vlc_stream_Peek( p_stream, &p_peek, 44 );
+ ssize_t i_read = vlc_stream_Peek( p_stream, &p_peek, 44 );
+ if( unlikely(i_read < (ssize_t)header_size) )
+ return 0;
- p_peek += mp4_box_headersize( p_box ) + 4;
- i_read -= mp4_box_headersize( p_box ) + 4;
+ p_peek += header_size;
+ i_read -= header_size;
if( i_read >= 8 )
{
More information about the vlc-commits
mailing list