[vlc-commits] demux: mp4: add sample overread check for non seekable case

[Francois Cartegnie]

vlc | branch: master | Francois Cartegnie <fcvlcdev at free.fr> | Fri Apr 26 12:42:01 2019 +0200| [49db2cce11739f9b23347ba67721a7eff467dfc6] | committer: Francois Cartegnie

demux: mp4: add sample overread check for non seekable case

refs broken #22228

> http://git.videolan.org/gitweb.cgi/vlc.git/?a=commit;h=49db2cce11739f9b23347ba67721a7eff467dfc6
---

 modules/demux/mp4/mp4.c | 25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)

diff --git a/modules/demux/mp4/mp4.c b/modules/demux/mp4/mp4.c
index ac02f1abac..5d4febeb51 100644
--- a/modules/demux/mp4/mp4.c
+++ b/modules/demux/mp4/mp4.c
@@ -1262,6 +1262,27 @@ static block_t * MP4_RTPHint_Convert( demux_t *p_demux, block_t *p_block, vlc_fo
     return p_converted;
 }
 
+static uint64_t OverflowCheck( demux_t *p_demux, mp4_track_t *tk,
+                               uint64_t i_readpos, uint64_t i_samplessize )
+{
+    demux_sys_t *p_sys = p_demux->p_sys;
+    if( !p_sys->b_seekable && p_sys->b_fragmented &&
+         p_sys->context.i_post_mdat_offset )
+    {
+        /* avoid breaking non seekable demux */
+        if( i_readpos + i_samplessize > p_sys->context.i_post_mdat_offset )
+        {
+            msg_Err(p_demux, "Broken file. track[0x%x] "
+                             "Sample @%" PRIu64 " overflowing "
+                             "parent mdat by %" PRIu64,
+                    tk->i_track_ID, i_readpos,
+                    i_readpos + i_samplessize - p_sys->context.i_post_mdat_offset );
+            i_samplessize = p_sys->context.i_post_mdat_offset - i_readpos;
+        }
+    }
+    return i_samplessize;
+}
+
 /*****************************************************************************
  * Demux: read packet and send them to decoders
  *****************************************************************************
@@ -1315,6 +1336,8 @@ static int DemuxTrack( demux_t *p_demux, mp4_track_t *tk, uint64_t i_readpos,
                 }
             }
 
+            i_samplessize = OverflowCheck( p_demux, tk, i_readpos, i_samplessize );
+
             /* now read pes */
             if( !(p_block = vlc_stream_Block( p_demux->s, i_samplessize )) )
             {
@@ -4463,6 +4486,8 @@ static int FragDemuxTrack( demux_t *p_demux, mp4_track_t *p_track,
         if( !len )
             msg_Warn(p_demux, "Zero length sample in trun.");
 
+        len = OverflowCheck( p_demux, p_track, vlc_stream_Tell(p_demux->s), len );
+
         block_t *p_block = vlc_stream_Block( p_demux->s, len );
         uint32_t i_read = ( p_block ) ? p_block->i_buffer : 0;
         p_track->context.i_trun_sample_pos += i_read;