[vlc-commits] demux: mp4: add sample overread check for non seekable case

Francois Cartegnie git at videolan.org
Tue Apr 30 15:32:44 CEST 2019 

vlc/vlc-3.0 | branch: master | Francois Cartegnie <fcvlcdev at free.fr> | Fri Apr 26 12:42:01 2019 +0200| [06fab084cab29248305927c2f34c124504b29e56] | committer: Francois Cartegnie

demux: mp4: add sample overread check for non seekable case

refs broken #22228

(cherry picked from commit 49db2cce11739f9b23347ba67721a7eff467dfc6)

> http://git.videolan.org/gitweb.cgi/vlc/vlc-3.0.git/?a=commit;h=06fab084cab29248305927c2f34c124504b29e56
---

 modules/demux/mp4/mp4.c | 25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)

diff --git a/modules/demux/mp4/mp4.c b/modules/demux/mp4/mp4.c
index c70f6f6fd0..3e638c12e1 100644
--- a/modules/demux/mp4/mp4.c
+++ b/modules/demux/mp4/mp4.c
@@ -1169,6 +1169,27 @@ static block_t * MP4_RTPHint_Convert( demux_t *p_demux, block_t *p_block, vlc_fo
     return p_converted;
 }
 
+static uint64_t OverflowCheck( demux_t *p_demux, mp4_track_t *tk,
+                               uint64_t i_readpos, uint64_t i_samplessize )
+{
+    demux_sys_t *p_sys = p_demux->p_sys;
+    if( !p_sys->b_seekable && p_sys->b_fragmented &&
+         p_sys->context.i_post_mdat_offset )
+    {
+        /* avoid breaking non seekable demux */
+        if( i_readpos + i_samplessize > p_sys->context.i_post_mdat_offset )
+        {
+            msg_Err(p_demux, "Broken file. track[0x%x] "
+                             "Sample @%" PRIu64 " overflowing "
+                             "parent mdat by %" PRIu64,
+                    tk->i_track_ID, i_readpos,
+                    i_readpos + i_samplessize - p_sys->context.i_post_mdat_offset );
+            i_samplessize = p_sys->context.i_post_mdat_offset - i_readpos;
+        }
+    }
+    return i_samplessize;
+}
+
 /*****************************************************************************
  * Demux: read packet and send them to decoders
  *****************************************************************************
@@ -1221,6 +1242,8 @@ static int DemuxTrack( demux_t *p_demux, mp4_track_t *tk, uint64_t i_readpos,
                 }
             }
 
+            i_samplessize = OverflowCheck( p_demux, tk, i_readpos, i_samplessize );
+
             /* now read pes */
             if( !(p_block = vlc_stream_Block( p_demux->s, i_samplessize )) )
             {
@@ -4331,6 +4354,8 @@ static int FragDemuxTrack( demux_t *p_demux, mp4_track_t *p_track,
         if( !len )
             msg_Warn(p_demux, "Zero length sample in trun.");
 
+        len = OverflowCheck( p_demux, p_track, vlc_stream_Tell(p_demux->s), len );
+
         block_t *p_block = vlc_stream_Block( p_demux->s, len );
         uint32_t i_read = ( p_block ) ? p_block->i_buffer : 0;
         p_track->context.i_trun_sample_pos += i_read;

More information about the vlc-commits mailing list