[vlc-commits] [Git][videolan/vlc][3.0.x] demux: libmp4: add recursion limit for containers

[Jean-Baptiste Kempf (@jbk)]

Jean-Baptiste Kempf pushed to branch 3.0.x at VideoLAN / VLC


Commits:
b2721801 by François Cartegnie at 2026-05-11T07:38:01+02:00
demux: libmp4: add recursion limit for containers

refs #29790

(cherry picked from commit 42741b88474fe124ed070dd5ca1691c82e64c76f)
Signed-off-by: Marvin Scholz <epirat07 at gmail.com>

- - - - -


1 changed file:

- modules/demux/mp4/libmp4.c


Changes:

=====================================
modules/demux/mp4/libmp4.c
=====================================
@@ -38,6 +38,8 @@
 #include <assert.h>
 #include <limits.h>
 
+#define MP4_DEPTH_MAX 32
+
 /* Some assumptions:
  * The input method HAS to be seekable
  */
@@ -108,6 +110,14 @@ static char *mp4_getstringz( uint8_t **restrict in, uint64_t *restrict size )
         (p_str) = mp4_getstringz( &p_peek, &i_read ); \
     while(0)
 
+static unsigned GetDepth( const MP4_Box_t *box )
+{
+    unsigned i = 0;
+    for( ; box ; box = box->p_father )
+        i++;
+    return i;
+}
+
 static uint8_t *mp4_readbox_enter_common( stream_t *s, MP4_Box_t *box,
                                           size_t typesize,
                                           void (*release)( MP4_Box_t * ),
@@ -429,6 +439,9 @@ static int MP4_ReadBoxContainerChildrenIndexed( stream_t *p_stream,
         return 0;
     }
 
+    if( GetDepth( p_container ) > MP4_DEPTH_MAX ) /* Prevent unbounded recursions */
+        return 1;
+
     uint64_t i_last_pos = 0; /* used to detect read failure loops */
     const uint64_t i_end = p_container->i_pos + p_container->i_size;
     MP4_Box_t *p_box = NULL;



View it on GitLab: https://code.videolan.org/videolan/vlc/-/commit/b27218019578eab1cf7668c3adc6607e96d5a6e8

-- 
View it on GitLab: https://code.videolan.org/videolan/vlc/-/commit/b27218019578eab1cf7668c3adc6607e96d5a6e8
You're receiving this email because of your account on code.videolan.org.