[vlc-commits] mp4: fix integer overflow in HLDR box
Rémi Denis-Courmont
git at videolan.org
Thu Nov 30 18:33:47 CET 2017
vlc/vlc-3.0 | branch: master | Rémi Denis-Courmont <remi at remlab.net> | Thu Nov 30 19:32:58 2017 +0200| [a9535b9bee74dd1360083ae91f2350841a118045] | committer: Rémi Denis-Courmont
mp4: fix integer overflow in HLDR box
> http://git.videolan.org/gitweb.cgi/vlc/vlc-3.0.git/?a=commit;h=a9535b9bee74dd1360083ae91f2350841a118045
---
modules/demux/mp4/libmp4.c | 25 +++++++++++++------------
1 file changed, 13 insertions(+), 12 deletions(-)
diff --git a/modules/demux/mp4/libmp4.c b/modules/demux/mp4/libmp4.c
index a4a0d4f821..6531dab768 100644
--- a/modules/demux/mp4/libmp4.c
+++ b/modules/demux/mp4/libmp4.c
@@ -1360,29 +1360,30 @@ static int MP4_ReadBox_hdlr( stream_t *p_stream, MP4_Box_t *p_box )
MP4_GET4BYTES( i_reserved );
p_box->data.p_hdlr->psz_name = NULL;
+ if( i_read >= SSIZE_MAX )
+ MP4_READBOX_EXIT( 0 );
+
if( i_read > 0 )
{
- uint8_t *psz = p_box->data.p_hdlr->psz_name = malloc( i_read + 1 );
- if( unlikely( psz == NULL ) )
- MP4_READBOX_EXIT( 0 );
+ size_t i_copy;
/* Yes, I love .mp4 :( */
if( p_box->data.p_hdlr->i_predefined == VLC_FOURCC( 'm', 'h', 'l', 'r' ) )
{
uint8_t i_len;
- int i_copy;
MP4_GET1BYTE( i_len );
- i_copy = __MIN( i_read, i_len );
-
- memcpy( psz, p_peek, i_copy );
- p_box->data.p_hdlr->psz_name[i_copy] = '\0';
+ i_copy = (i_len <= i_read) ? i_len : i_read;
}
else
- {
- memcpy( psz, p_peek, i_read );
- p_box->data.p_hdlr->psz_name[i_read] = '\0';
- }
+ i_copy = i_read;
+
+ uint8_t *psz = p_box->data.p_hdlr->psz_name = malloc( i_copy + 1 );
+ if( unlikely( psz == NULL ) )
+ MP4_READBOX_EXIT( 0 );
+
+ memcpy( psz, p_peek, i_copy );
+ p_box->data.p_hdlr->psz_name[i_copy] = '\0';
}
#ifdef MP4_VERBOSE
More information about the vlc-commits
mailing list