[vlc-commits] mp4: fix PADB parsing
Rémi Denis-Courmont
git at videolan.org
Fri Nov 24 20:54:37 CET 2017
vlc | branch: master | Rémi Denis-Courmont <remi at remlab.net> | Fri Nov 24 19:03:18 2017 +0200| [94f3a3408e2067cc58dee62c434713b22435aa53] | committer: Rémi Denis-Courmont
mp4: fix PADB parsing
- Fix interger overflow if sample count is 0xffffffff.
- Merge table pairs.
- Rationalize table sizes.
- Check data size before allocation.
Not sure why we even extract those though - nothing reads the data.
> http://git.videolan.org/gitweb.cgi/vlc.git/?a=commit;h=94f3a3408e2067cc58dee62c434713b22435aa53
---
modules/demux/mp4/libmp4.c | 44 ++++++++++++++++++++------------------------
modules/demux/mp4/libmp4.h | 7 ++-----
2 files changed, 22 insertions(+), 29 deletions(-)
diff --git a/modules/demux/mp4/libmp4.c b/modules/demux/mp4/libmp4.c
index b5e5a0598b..ee6ff3d132 100644
--- a/modules/demux/mp4/libmp4.c
+++ b/modules/demux/mp4/libmp4.c
@@ -3138,10 +3138,8 @@ static int MP4_ReadBox_stdp( stream_t *p_stream, MP4_Box_t *p_box )
static void MP4_FreeBox_padb( MP4_Box_t *p_box )
{
- FREENULL( p_box->data.p_padb->i_reserved1 );
- FREENULL( p_box->data.p_padb->i_pad2 );
- FREENULL( p_box->data.p_padb->i_reserved2 );
- FREENULL( p_box->data.p_padb->i_pad1 );
+ FREENULL( p_box->data.p_padb->i_reserved );
+ FREENULL( p_box->data.p_padb->i_pad );
}
static int MP4_ReadBox_padb( stream_t *p_stream, MP4_Box_t *p_box )
@@ -3151,34 +3149,32 @@ static int MP4_ReadBox_padb( stream_t *p_stream, MP4_Box_t *p_box )
MP4_READBOX_ENTER( MP4_Box_data_padb_t, MP4_FreeBox_padb );
MP4_GETVERSIONFLAGS( p_box->data.p_padb );
+ MP4_GET4BYTES( count );
- MP4_GET4BYTES( p_box->data.p_padb->i_sample_count );
- count = (p_box->data.p_padb->i_sample_count + 1) / 2;
+ if( ((count / 2) + (count & 1)) > i_read )
+ {
+ MP4_READBOX_EXIT( 0 );
+ }
+
+ p_box->data.p_padb->i_reserved = malloc( count );
+ p_box->data.p_padb->i_pad = malloc( count );
+ p_box->data.p_padb->i_sample_count = count;
- p_box->data.p_padb->i_reserved1 = calloc( count, sizeof(uint16_t) );
- p_box->data.p_padb->i_pad2 = calloc( count, sizeof(uint16_t) );
- p_box->data.p_padb->i_reserved2 = calloc( count, sizeof(uint16_t) );
- p_box->data.p_padb->i_pad1 = calloc( count, sizeof(uint16_t) );
- if( p_box->data.p_padb->i_reserved1 == NULL
- || p_box->data.p_padb->i_pad2 == NULL
- || p_box->data.p_padb->i_reserved2 == NULL
- || p_box->data.p_padb->i_pad1 == NULL )
+ if( unlikely(p_box->data.p_padb->i_reserved == NULL
+ || p_box->data.p_padb->i_pad == NULL) )
{
MP4_READBOX_EXIT( 0 );
}
- for( unsigned int i = 0; i < i_read / 2 ; i++ )
+ for( size_t i = 0; i < count; i += 2 )
{
- if( i >= count )
- {
- MP4_READBOX_EXIT( 0 );
- }
- p_box->data.p_padb->i_reserved1[i] = ( (*p_peek) >> 7 )&0x01;
- p_box->data.p_padb->i_pad2[i] = ( (*p_peek) >> 4 )&0x07;
- p_box->data.p_padb->i_reserved1[i] = ( (*p_peek) >> 3 )&0x01;
- p_box->data.p_padb->i_pad1[i] = ( (*p_peek) )&0x07;
+ p_box->data.p_padb->i_reserved[i] = ( (*p_peek) >> 7 )&0x01;
+ p_box->data.p_padb->i_pad[i + 1] = ( (*p_peek) >> 4 )&0x07;
+ p_box->data.p_padb->i_reserved[i + 1] = ( (*p_peek) >> 3 )&0x01;
+ p_box->data.p_padb->i_pad[i] = ( (*p_peek) )&0x07;
- p_peek += 1; i_read -= 1;
+ p_peek++;
+ i_read--;
}
#ifdef MP4_VERBOSE
diff --git a/modules/demux/mp4/libmp4.h b/modules/demux/mp4/libmp4.h
index 925b4014bb..a7088df56f 100644
--- a/modules/demux/mp4/libmp4.h
+++ b/modules/demux/mp4/libmp4.h
@@ -935,11 +935,8 @@ typedef struct MP4_Box_data_padb_s
uint32_t i_sample_count;
- uint16_t *i_reserved1; /* 1bit */
- uint16_t *i_pad2; /* 3bits */
- uint16_t *i_reserved2; /* 1bit */
- uint16_t *i_pad1; /* 3bits */
-
+ unsigned char *i_reserved; /* 1bit */
+ unsigned char *i_pad; /* 3bits */
} MP4_Box_data_padb_t;
More information about the vlc-commits
mailing list