[vlc-commits] mp4: check STSH size before allocation

Rémi Denis-Courmont git at videolan.org
Fri Nov 24 20:54:46 CET 2017 

vlc | branch: master | Rémi Denis-Courmont <remi at remlab.net> | Fri Nov 24 20:01:01 2017 +0200| [f6175b3f4263d4a4bc11179bac6add7eeeb032a4] | committer: Rémi Denis-Courmont

mp4: check STSH size before allocation

This avoids allocating stupid amounts of memory.

Note: there is still an infinite loop if count == 0xffffffff
(with a suitably enormous input).

> http://git.videolan.org/gitweb.cgi/vlc.git/?a=commit;h=f6175b3f4263d4a4bc11179bac6add7eeeb032a4
---

 modules/demux/mp4/libmp4.c | 24 +++++++++++-------------
 1 file changed, 11 insertions(+), 13 deletions(-)

diff --git a/modules/demux/mp4/libmp4.c b/modules/demux/mp4/libmp4.c
index b6f2ad6eb7..3d3e9e1858 100644
--- a/modules/demux/mp4/libmp4.c
+++ b/modules/demux/mp4/libmp4.c
@@ -3078,32 +3078,30 @@ static void MP4_FreeBox_stsh( MP4_Box_t *p_box )
 
 static int MP4_ReadBox_stsh( stream_t *p_stream, MP4_Box_t *p_box )
 {
+    uint32_t count;
+
     MP4_READBOX_ENTER( MP4_Box_data_stsh_t, MP4_FreeBox_stsh );
 
     MP4_GETVERSIONFLAGS( p_box->data.p_stsh );
+    MP4_GET4BYTES( count );
 
+    if( UINT64_C(8) * count > i_read )
+        MP4_READBOX_EXIT( 0 );
 
-    MP4_GET4BYTES( p_box->data.p_stsh->i_entry_count );
-
-    p_box->data.p_stsh->i_shadowed_sample_number =
-        calloc( p_box->data.p_stsh->i_entry_count, sizeof(uint32_t) );
-    p_box->data.p_stsh->i_sync_sample_number =
-        calloc( p_box->data.p_stsh->i_entry_count, sizeof(uint32_t) );
-
+    p_box->data.p_stsh->i_shadowed_sample_number = vlc_alloc( count,
+                                                            sizeof(uint32_t) );
+    p_box->data.p_stsh->i_sync_sample_number = vlc_alloc( count,
+                                                          sizeof(uint32_t) );
     if( p_box->data.p_stsh->i_shadowed_sample_number == NULL
      || p_box->data.p_stsh->i_sync_sample_number == NULL )
-    {
         MP4_READBOX_EXIT( 0 );
-    }
+    p_box->data.p_stsh->i_entry_count = count;
 
-    unsigned i;
-    for( i = 0; (i < p_box->data.p_stss->i_entry_count )&&( i_read >= 8 ); i++ )
+    for( uint32_t i = 0; i < p_box->data.p_stss->i_entry_count; i++ )
     {
         MP4_GET4BYTES( p_box->data.p_stsh->i_shadowed_sample_number[i] );
         MP4_GET4BYTES( p_box->data.p_stsh->i_sync_sample_number[i] );
     }
-    if ( i < p_box->data.p_stss->i_entry_count )
-        p_box->data.p_stss->i_entry_count = i;
 
 #ifdef MP4_VERBOSE
     msg_Dbg( p_stream, "read box: \"stsh\" entry-count %d",

More information about the vlc-commits mailing list