[vlc-commits] [Git][videolan/vlc][master] 3 commits: demux: libmp4: always reset the free's sgpd entries on error

Thomas Guillem (@tguillem) gitlab at videolan.org
Mon Sep 15 08:32:34 UTC 2025 


Thomas Guillem pushed to branch master at VideoLAN / VLC


Commits:
2c1ccef0 by Steve Lhomme at 2025-09-15T10:32:08+02:00
demux: libmp4: always reset the free's sgpd entries on error

MP4_FreeBox_sgpd() might be called and try to free it again.

Fixes https://code.videolan.org/videolan/vlc/-/issues/29287

- - - - -
61fd74b4 by Steve Lhomme at 2025-09-15T10:32:08+02:00
cvdsub: avoid reading past the end of metadata

We always read p[0] to p[3]. If p[3] is further than the end
of our buffer we should not use these data.

Fixes https://code.videolan.org/videolan/vlc/-/issues/29286

- - - - -
de0810d8 by Steve Lhomme at 2025-09-15T10:32:08+02:00
demux: nsv: don't dereference pointer if it's past the buffer

Fixes #29300

- - - - -


3 changed files:

- modules/codec/cvdsub.c
- modules/demux/mp4/libmp4.c
- modules/demux/nsv.c


Changes:

=====================================
modules/codec/cvdsub.c
=====================================
@@ -349,7 +349,7 @@ static void ParseMetaInfo( decoder_t *p_dec, block_t *p_spu  )
     uint8_t       *p     = p_spu->p_buffer + p_sys->metadata_offset;
     uint8_t       *p_end = p + p_sys->metadata_length;
 
-    for( ; p < p_end; p += 4 )
+    for( ; &p[3] < p_end; p += 4 )
     {
         switch( p[0] )
         {


=====================================
modules/demux/mp4/libmp4.c
=====================================
@@ -2354,6 +2354,8 @@ static int MP4_ReadBox_sgpd( stream_t *p_stream, MP4_Box_t *p_box )
                     if( i_read < 2 )
                     {
                         free( p_sgpd->p_entries );
+                        p_sgpd->i_entry_count = 0;
+                        p_sgpd->p_entries = NULL;
                         MP4_READBOX_EXIT( 0 );
                     }
                     union
@@ -2369,6 +2371,8 @@ static int MP4_ReadBox_sgpd( stream_t *p_stream, MP4_Box_t *p_box )
             default:
                 vlc_assert_unreachable();
                 free( p_sgpd->p_entries );
+                p_sgpd->i_entry_count = 0;
+                p_sgpd->p_entries = NULL;
                 MP4_READBOX_EXIT( 0 );
         }
     }


=====================================
modules/demux/nsv.c
=====================================
@@ -252,7 +252,7 @@ static int Demux( demux_t *p_demux )
                     {
                         p++;
                     }
-                    if( *p == 0 && p + 1 < &p_frame->p_buffer[p_frame->i_buffer] )
+                    if( p + 1 < &p_frame->p_buffer[p_frame->i_buffer] && *p == 0 )
                     {
                         p_frame->i_buffer -= p + 1 - p_frame->p_buffer;
                         p_frame->p_buffer = p + 1;
@@ -645,4 +645,3 @@ static int ReadNSVs( demux_t *p_demux )
 
     return VLC_SUCCESS;
 }
-



View it on GitLab: https://code.videolan.org/videolan/vlc/-/compare/ac029e853f7c0e3a1a5f635776c784657e43b066...de0810d8993842fc2bf7c9538f990c8c7184e00b

-- 
View it on GitLab: https://code.videolan.org/videolan/vlc/-/compare/ac029e853f7c0e3a1a5f635776c784657e43b066...de0810d8993842fc2bf7c9538f990c8c7184e00b
You're receiving this email because of your account on code.videolan.org.


VideoLAN code repository instance

More information about the vlc-commits mailing list