[vlc-commits] mp4: check CTTS size before allocation
Rémi Denis-Courmont
git at videolan.org
Fri Nov 24 20:54:44 CET 2017
vlc | branch: master | Rémi Denis-Courmont <remi at remlab.net> | Fri Nov 24 20:01:01 2017 +0200| [90e610081180134d244d2f9220070916685d3fad] | committer: Rémi Denis-Courmont
mp4: check CTTS size before allocation
This avoids allocating stupid amounts of memory.
Note: there is still an infinite loop if count == 0xffffffff
(with a suitably enormous input).
> http://git.videolan.org/gitweb.cgi/vlc.git/?a=commit;h=90e610081180134d244d2f9220070916685d3fad
---
modules/demux/mp4/libmp4.c | 27 ++++++++++++---------------
1 file changed, 12 insertions(+), 15 deletions(-)
diff --git a/modules/demux/mp4/libmp4.c b/modules/demux/mp4/libmp4.c
index 4e105cf684..de973056ca 100644
--- a/modules/demux/mp4/libmp4.c
+++ b/modules/demux/mp4/libmp4.c
@@ -1595,34 +1595,31 @@ static void MP4_FreeBox_ctts( MP4_Box_t *p_box )
static int MP4_ReadBox_ctts( stream_t *p_stream, MP4_Box_t *p_box )
{
+ uint32_t count;
+
MP4_READBOX_ENTER( MP4_Box_data_ctts_t, MP4_FreeBox_ctts );
MP4_GETVERSIONFLAGS( p_box->data.p_ctts );
+ MP4_GET4BYTES( count );
- MP4_GET4BYTES( p_box->data.p_ctts->i_entry_count );
+ if( UINT64_C(8) * count > i_read )
+ MP4_READBOX_EXIT( 0 );
- p_box->data.p_ctts->pi_sample_count =
- calloc( p_box->data.p_ctts->i_entry_count, sizeof(uint32_t) );
- p_box->data.p_ctts->pi_sample_offset =
- calloc( p_box->data.p_ctts->i_entry_count, sizeof(int32_t) );
- if( ( p_box->data.p_ctts->pi_sample_count == NULL )
- || ( p_box->data.p_ctts->pi_sample_offset == NULL ) )
- {
+ p_box->data.p_ctts->pi_sample_count = vlc_alloc( count, sizeof(uint32_t) );
+ p_box->data.p_ctts->pi_sample_offset = vlc_alloc( count, sizeof(int32_t) );
+ if( unlikely(p_box->data.p_ctts->pi_sample_count == NULL
+ || p_box->data.p_ctts->pi_sample_offset == NULL) )
MP4_READBOX_EXIT( 0 );
- }
+ p_box->data.p_ctts->i_entry_count = count;
- uint32_t i = 0;
- for( ; (i < p_box->data.p_ctts->i_entry_count )&&( i_read >=8 ); i++ )
+ for( uint32_t i = 0; i < count; i++ )
{
MP4_GET4BYTES( p_box->data.p_ctts->pi_sample_count[i] );
MP4_GET4BYTES( p_box->data.p_ctts->pi_sample_offset[i] );
}
- if ( i < p_box->data.p_ctts->i_entry_count )
- p_box->data.p_ctts->i_entry_count = i;
#ifdef MP4_VERBOSE
- msg_Dbg( p_stream, "read box: \"ctts\" entry-count %d",
- p_box->data.p_ctts->i_entry_count );
+ msg_Dbg( p_stream, "read box: \"ctts\" entry-count %"PRIu32, count );
#endif
MP4_READBOX_EXIT( 1 );
More information about the vlc-commits
mailing list