[vlc-commits] [Git][videolan/vlc][master] 5 commits: demux: ts: fix potential wrong positive return with OD_DecSpecificDesc
Felix Paul Kühne (@fkuehne)
gitlab at videolan.org
Sun Mar 15 06:30:05 UTC 2026
Felix Paul Kühne pushed to branch master at VideoLAN / VLC
Commits:
815f3a04 by François Cartegnie at 2026-03-15T06:48:44+01:00
demux: ts: fix potential wrong positive return with OD_DecSpecificDesc
- - - - -
5c124c9a by François Cartegnie at 2026-03-15T06:48:44+01:00
demux: mpeg4: fix potential invalid free
- - - - -
dbcc1748 by François Cartegnie at 2026-03-15T06:48:44+01:00
demux: mpeg4: restrict sizes reads to 32 bits
- - - - -
2c371622 by François Cartegnie at 2026-03-15T06:48:44+01:00
demux: mpeg4: check variable length limits
refs #29636
- - - - -
5bc746a4 by François Cartegnie at 2026-03-15T06:48:44+01:00
demux: mpeg4: use define for es loop
- - - - -
1 changed file:
- modules/demux/mpeg/mpeg4_iod.c
Changes:
=====================================
modules/demux/mpeg/mpeg4_iod.c
=====================================
@@ -53,25 +53,19 @@ static void od_debug( vlc_object_t *p_object, const char *format, ... )
*****************************************************************************/
static unsigned ODDescriptorLength( unsigned *pi_data, const uint8_t **pp_data )
{
- unsigned int i_b;
+ unsigned int i_b = 0x80;
unsigned int i_len = 0;
- if(*pi_data == 0)
- return 0;
-
- do
+ unsigned bytes = __MIN(*pi_data, 4);
+ for(unsigned i=0; i<bytes && (i_b&0x80); i++)
{
i_b = **pp_data;
(*pp_data)++;
(*pi_data)--;
i_len = ( i_len << 7 ) + ( i_b&0x7f );
+ }
- } while( i_b&0x80 && *pi_data > 0 );
-
- if (i_len > *pi_data)
- i_len = *pi_data;
-
- return i_len;
+ return __MIN(i_len, *pi_data);
}
static unsigned ODGetBytes( unsigned *pi_data, const uint8_t **pp_data, size_t bytes )
@@ -136,13 +130,25 @@ static bool OD_SLDesc_Read( vlc_object_t *p_object, unsigned i_data, const uint8
sl_descr->i_timestamp_resolution = ODGetBytes( &i_data, &p_data, 4 );
sl_descr->i_OCR_resolution = ODGetBytes( &i_data, &p_data, 4 );
sl_descr->i_timestamp_length = ODGetBytes( &i_data, &p_data, 1 );
+ if( sl_descr->i_timestamp_length > 64 )
+ return false;
sl_descr->i_OCR_length = ODGetBytes( &i_data, &p_data, 1 );
+ if( sl_descr->i_OCR_length > 32 )
+ return false;
sl_descr->i_AU_length = ODGetBytes( &i_data, &p_data, 1 );
+ if( sl_descr->i_AU_length > 32 )
+ return false;
sl_descr->i_instant_bitrate_length = ODGetBytes( &i_data, &p_data, 1 );
+ if( sl_descr->i_instant_bitrate_length > 64 )
+ return false;
uint16_t i16 = ODGetBytes( &i_data, &p_data, 2 );
sl_descr->i_degradation_priority_length = i16 >> 12;
sl_descr->i_AU_seqnum_length = (i16 >> 7) & 0x1f;
+ if( sl_descr->i_AU_seqnum_length > 16 )
+ return false;
sl_descr->i_packet_seqnum_length = (i16 >> 2) & 0x1f;
+ if( sl_descr->i_packet_seqnum_length > 16 )
+ return false;
break;
case SL_Predefined_NULL:
memset( sl_descr, 0, sizeof(*sl_descr) );
@@ -191,6 +197,7 @@ static bool OD_DecSpecificDesc_Read( vlc_object_t *p_object, unsigned i_data, co
p_dec_config->i_extra = i_data;
memcpy( p_dec_config->p_extra, p_data, p_dec_config->i_extra );
}
+ else p_dec_config->i_extra = 0;
return !!p_dec_config->i_extra;
}
@@ -500,10 +507,7 @@ od_descriptor_t *IODNew( vlc_object_t *p_object, unsigned i_data, const uint8_t
od_descriptor_t * ods[1];
uint8_t i_count = ODInit( p_object, i_data, p_data, ODTag_InitialObjectDescr, 1, 1, ods );
if( !i_count )
- {
- ODFree( ods[0] );
return NULL;
- }
return ods[0];
}
@@ -516,7 +520,7 @@ void ODFree( od_descriptor_t *p_iod )
return;
}
- for( int i = 0; i < 255; i++ )
+ for( size_t i = 0; i < ES_DESCRIPTOR_COUNT; i++ )
{
#define es_descr p_iod->es_descr[i]
if( es_descr.b_ok )
View it on GitLab: https://code.videolan.org/videolan/vlc/-/compare/1ea9975ccca1f7872aac40d2b1cd1ca00ce6cd94...5bc746a4e7504047178e079a91d3258aadcf16d8
--
View it on GitLab: https://code.videolan.org/videolan/vlc/-/compare/1ea9975ccca1f7872aac40d2b1cd1ca00ce6cd94...5bc746a4e7504047178e079a91d3258aadcf16d8
You're receiving this email because of your account on code.videolan.org.
VideoLAN code repository instance
More information about the vlc-commits
mailing list