[vlc-commits] [Git][videolan/vlc][3.0.x] 5 commits: demux: ts: fix potential wrong positive return with OD_DecSpecificDesc

Felix Paul Kühne (@fkuehne) gitlab at videolan.org
Sat Mar 28 09:12:07 UTC 2026 


Felix Paul Kühne pushed to branch 3.0.x at VideoLAN / VLC


Commits:
f435e1b0 by François Cartegnie at 2026-03-28T09:58:26+01:00
demux: ts: fix potential wrong positive return with OD_DecSpecificDesc

(cherry picked from commit 815f3a0433ef26f87ba46e1f23f79ce91d787152)

- - - - -
d1baf4d0 by François Cartegnie at 2026-03-28T09:58:26+01:00
demux: mpeg4: fix potential invalid free

(cherry picked from commit 5c124c9a6d8efb41b13cd7d491f023d8e5943dff)

- - - - -
5a0e5d11 by François Cartegnie at 2026-03-28T09:58:26+01:00
demux: mpeg4: restrict sizes reads to 32 bits

(cherry picked from commit dbcc17481522b3d21cf78f31aa7cd864c39934ed)

- - - - -
9252a3be by François Cartegnie at 2026-03-28T09:58:26+01:00
demux: mpeg4: check variable length limits

refs #29636

(cherry picked from commit 2c3716229178ce7403e90ef4d83c7f139ba1028a)

- - - - -
13f3c91a by François Cartegnie at 2026-03-28T09:58:26+01:00
demux: mpeg4: use define for es loop

(cherry picked from commit 5bc746a4e7504047178e079a91d3258aadcf16d8)

- - - - -


1 changed file:

- modules/demux/mpeg/mpeg4_iod.c


Changes:

=====================================
modules/demux/mpeg/mpeg4_iod.c
=====================================
@@ -50,25 +50,19 @@ static void od_debug( vlc_object_t *p_object, const char *format, ... )
  *****************************************************************************/
 static unsigned ODDescriptorLength( unsigned *pi_data, const uint8_t **pp_data )
 {
-    unsigned int i_b;
+    unsigned int i_b = 0x80;
     unsigned int i_len = 0;
 
-    if(*pi_data == 0)
-        return 0;
-
-    do
+    unsigned bytes = __MIN(*pi_data, 4);
+    for(unsigned i=0; i<bytes && (i_b&0x80); i++)
     {
         i_b = **pp_data;
         (*pp_data)++;
         (*pi_data)--;
         i_len = ( i_len << 7 ) + ( i_b&0x7f );
+    }
 
-    } while( i_b&0x80 && *pi_data > 0 );
-
-    if (i_len > *pi_data)
-        i_len = *pi_data;
-
-    return i_len;
+    return __MIN(i_len, *pi_data);
 }
 
 static unsigned ODGetBytes( unsigned *pi_data, const uint8_t **pp_data, size_t bytes )
@@ -133,13 +127,25 @@ static bool OD_SLDesc_Read( vlc_object_t *p_object, unsigned i_data, const uint8
         sl_descr->i_timestamp_resolution = ODGetBytes( &i_data, &p_data, 4 );
         sl_descr->i_OCR_resolution = ODGetBytes( &i_data, &p_data, 4 );
         sl_descr->i_timestamp_length = ODGetBytes( &i_data, &p_data, 1 );
+        if( sl_descr->i_timestamp_length > 64 )
+            return false;
         sl_descr->i_OCR_length = ODGetBytes( &i_data, &p_data, 1 );
+        if( sl_descr->i_OCR_length > 32 )
+            return false;
         sl_descr->i_AU_length = ODGetBytes( &i_data, &p_data, 1 );
+        if( sl_descr->i_AU_length > 32 )
+            return false;
         sl_descr->i_instant_bitrate_length = ODGetBytes( &i_data, &p_data, 1 );
+        if( sl_descr->i_instant_bitrate_length > 64 )
+            return false;
         uint16_t i16 = ODGetBytes( &i_data, &p_data, 2 );
         sl_descr->i_degradation_priority_length = i16 >> 12;
         sl_descr->i_AU_seqnum_length = (i16 >> 7) & 0x1f;
+        if( sl_descr->i_AU_seqnum_length > 16 )
+            return false;
         sl_descr->i_packet_seqnum_length = (i16 >> 2) & 0x1f;
+        if( sl_descr->i_packet_seqnum_length > 16 )
+            return false;
         break;
     case SL_Predefined_NULL:
         memset( sl_descr, 0, sizeof(*sl_descr) );
@@ -188,6 +194,7 @@ static bool OD_DecSpecificDesc_Read( vlc_object_t *p_object, unsigned i_data, co
         p_dec_config->i_extra = i_data;
         memcpy( p_dec_config->p_extra, p_data, p_dec_config->i_extra );
     }
+    else p_dec_config->i_extra = 0;
 
     return !!p_dec_config->i_extra;
 }
@@ -490,10 +497,7 @@ od_descriptor_t *IODNew( vlc_object_t *p_object, unsigned i_data, const uint8_t
     od_descriptor_t * ods[1];
     uint8_t i_count = ODInit( p_object, i_data, p_data, ODTag_InitialObjectDescr, 1, 1, ods );
     if( !i_count )
-    {
-        ODFree( ods[0] );
         return NULL;
-    }
     return ods[0];
 }
 
@@ -506,7 +510,7 @@ void ODFree( od_descriptor_t *p_iod )
         return;
     }
 
-    for( int i = 0; i < 255; i++ )
+    for( size_t i = 0; i < ES_DESCRIPTOR_COUNT; i++ )
     {
 #define es_descr p_iod->es_descr[i]
         if( es_descr.b_ok )



View it on GitLab: https://code.videolan.org/videolan/vlc/-/compare/19ba4d858ebee8dfc917e9b39e6c1698f36e7ab6...13f3c91a63ff4050ca670a1c89b1b9655f201533

-- 
View it on GitLab: https://code.videolan.org/videolan/vlc/-/compare/19ba4d858ebee8dfc917e9b39e6c1698f36e7ab6...13f3c91a63ff4050ca670a1c89b1b9655f201533
You're receiving this email because of your account on code.videolan.org.

More information about the vlc-commits mailing list