[vlc-commits] mp4: check STSZ size before allocation

[Rémi Denis-Courmont]

vlc | branch: master | Rémi Denis-Courmont <remi at remlab.net> | Fri Nov 24 20:01:01 2017 +0200| [eab4f05a98fff46bf2f3b46bec8161b2a22e1266] | committer: Rémi Denis-Courmont

mp4: check STSZ size before allocation

This avoids allocating stupid amounts of memory.

Note: there is still an infinite loop if count == 0xffffffff
(with a suitably enormous input).

> http://git.videolan.org/gitweb.cgi/vlc.git/?a=commit;h=eab4f05a98fff46bf2f3b46bec8161b2a22e1266
---

 modules/demux/mp4/libmp4.c | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/modules/demux/mp4/libmp4.c b/modules/demux/mp4/libmp4.c
index ef77b6ea32..67445082ff 100644
--- a/modules/demux/mp4/libmp4.c
+++ b/modules/demux/mp4/libmp4.c
@@ -2854,21 +2854,27 @@ static void MP4_FreeBox_stsz( MP4_Box_t *p_box )
 
 static int MP4_ReadBox_stsz( stream_t *p_stream, MP4_Box_t *p_box )
 {
+    uint32_t count;
+
     MP4_READBOX_ENTER( MP4_Box_data_stsz_t, MP4_FreeBox_stsz );
 
     MP4_GETVERSIONFLAGS( p_box->data.p_stsz );
 
     MP4_GET4BYTES( p_box->data.p_stsz->i_sample_size );
-    MP4_GET4BYTES( p_box->data.p_stsz->i_sample_count );
+    MP4_GET4BYTES( count );
+    p_box->data.p_stsz->i_sample_count = count;
 
     if( p_box->data.p_stsz->i_sample_size == 0 )
     {
+        if( UINT64_C(4) * count > (uint64_t)i_read )
+            MP4_READBOX_EXIT( 0 );
+
         p_box->data.p_stsz->i_entry_size =
-            calloc( p_box->data.p_stsz->i_sample_count, sizeof(uint32_t) );
+            vlc_alloc( count, sizeof(uint32_t) );
         if( unlikely( !p_box->data.p_stsz->i_entry_size ) )
             MP4_READBOX_EXIT( 0 );
 
-        for( unsigned int i = 0; (i<p_box->data.p_stsz->i_sample_count)&&(i_read >= 4 ); i++ )
+        for( uint32_t i = 0; i < count; i++ )
         {
             MP4_GET4BYTES( p_box->data.p_stsz->i_entry_size[i] );
         }