[vlc-commits] [Git][videolan/vlc][master] demux: libmp4: add recursion limit for containers

[Felix Paul Kühne (@fkuehne)]

Felix Paul Kühne pushed to branch master at VideoLAN / VLC


Commits:
42741b88 by François Cartegnie at 2026-04-24T13:53:02+02:00
demux: libmp4: add recursion limit for containers

refs #29790

- - - - -


1 changed file:

- modules/demux/mp4/libmp4.c


Changes:

=====================================
modules/demux/mp4/libmp4.c
=====================================
@@ -39,6 +39,8 @@
 #include <limits.h>
 #include <stdckdint.h>
 
+#define MP4_DEPTH_MAX 32
+
 /* Some assumptions:
  * The input method HAS to be seekable
  */
@@ -193,6 +195,14 @@ static inline void GetUUID( UUID_t *p_uuid, const uint8_t *p_buff )
     memcpy( p_uuid, p_buff, 16 );
 }
 
+static unsigned GetDepth( const MP4_Box_t *box )
+{
+    unsigned i = 0;
+    for( ; box ; box = box->p_father )
+        i++;
+    return i;
+}
+
 static video_palette_t * ReadQuicktimePalette( uint8_t **pp_peek, uint64_t *pi_read )
 {
     uint8_t *p_peek = *pp_peek;
@@ -537,6 +547,9 @@ static int MP4_ReadBoxContainerChildrenIndexed( stream_t *p_stream,
         return 0;
     }
 
+    if( GetDepth( p_container ) > MP4_DEPTH_MAX ) /* Prevent unbounded recursions */
+        return 1;
+
     uint64_t i_last_pos = 0; /* used to detect read failure loops */
     const uint64_t i_end = p_container->i_pos + p_container->i_size;
     MP4_Box_t *p_box = NULL;



View it on GitLab: https://code.videolan.org/videolan/vlc/-/commit/42741b88474fe124ed070dd5ca1691c82e64c76f

-- 
View it on GitLab: https://code.videolan.org/videolan/vlc/-/commit/42741b88474fe124ed070dd5ca1691c82e64c76f
You're receiving this email because of your account on code.videolan.org.