[vlc-devel] Rémi Denis-Courmont : Fix integer overflow in MP4 RDRF boxes
git version control
git at videolan.org
Sun Mar 2 09:48:46 CET 2008
Module: vlc
Branch: master
Commit: 09572892df7e72c0d4e598c0b5e076cf330d8b0a
URL: http://git2.videolan.org/gitweb.cgi/vlc.git/?a=commit;h=09572892df7e72c0d4e598c0b5e076cf330d8b0a
Author: Rémi Denis-Courmont <rem at videolan.org>
Date: Sat Mar 1 22:22:48 2008 +0200
Fix integer overflow in MP4 RDRF boxes
Pointed-out-by: Drew Yao
Signed-off-by: Rémi Denis-Courmont <rem at videolan.org>
---
modules/demux/mp4/libmp4.c | 6 +++++-
1 files changed, 5 insertions(+), 1 deletions(-)
diff --git a/modules/demux/mp4/libmp4.c b/modules/demux/mp4/libmp4.c
index fd668dd..b5aee5f 100644
--- a/modules/demux/mp4/libmp4.c
+++ b/modules/demux/mp4/libmp4.c
@@ -1984,10 +1984,14 @@ static int MP4_ReadBox_rdrf( stream_t *p_stream, MP4_Box_t *p_box )
MP4_GETVERSIONFLAGS( p_box->data.p_rdrf );
MP4_GETFOURCC( p_box->data.p_rdrf->i_ref_type );
MP4_GET4BYTES( i_len );
+ i_len++;
+
if( i_len > 0 )
{
uint32_t i;
- p_box->data.p_rdrf->psz_ref = malloc( i_len + 1);
+ p_box->data.p_rdrf->psz_ref = malloc( i_len );
+ i_len--;
+
for( i = 0; i < i_len; i++ )
{
MP4_GET1BYTE( p_box->data.p_rdrf->psz_ref[i] );
More information about the vlc-devel
mailing list