[vlc-devel] commit: Fix buffer overflow. ( Rémi Denis-Courmont )
git version control
git at videolan.org
Mon Mar 3 21:08:11 CET 2008
vlc | branch: 0.8.6-bugfix | Rémi Denis-Courmont <rem at videolan.org> | Sat Mar 1 18:54:56 2008 +0000| [8b46168dcae9b2b76101a3284f5e51ed3ac06b99]
Fix buffer overflow.
> http://git.videolan.org/gitweb.cgi/vlc.git/?a=commit;h=8b46168dcae9b2b76101a3284f5e51ed3ac06b99
---
modules/demux/mp4/libmp4.c | 48 ++++++++++++++++++++++---------------------
1 files changed, 25 insertions(+), 23 deletions(-)
diff --git a/modules/demux/mp4/libmp4.c b/modules/demux/mp4/libmp4.c
index 4501dbf..8a762ea 100644
--- a/modules/demux/mp4/libmp4.c
+++ b/modules/demux/mp4/libmp4.c
@@ -1638,12 +1638,22 @@ static int MP4_ReadBox_stdp( stream_t *p_stream, MP4_Box_t *p_box )
static void MP4_FreeBox_stdp( MP4_Box_t *p_box )
{
- FREE( p_box->data.p_stdp->i_priority )
+ FREENULL( p_box->data.p_stdp->i_priority );
+}
+
+static void MP4_FreeBox_padb( MP4_Box_t *p_box )
+{
+ FREENULL( p_box->data.p_padb->i_reserved1 );
+ FREENULL( p_box->data.p_padb->i_pad2 );
+ FREENULL( p_box->data.p_padb->i_reserved2 );
+ FREENULL( p_box->data.p_padb->i_pad1 );
}
static int MP4_ReadBox_padb( stream_t *p_stream, MP4_Box_t *p_box )
{
+ int code = 0;
unsigned int i;
+ uint32_t count;
MP4_READBOX_ENTER( MP4_Box_data_padb_t );
@@ -1651,23 +1661,21 @@ static int MP4_ReadBox_padb( stream_t *p_stream, MP4_Box_t *p_box )
MP4_GET4BYTES( p_box->data.p_padb->i_sample_count );
+ count = p_box->data.p_padb->i_sample_count;
+ count = (count + 1) / 2;
- p_box->data.p_padb->i_reserved1 =
- calloc( ( p_box->data.p_padb->i_sample_count + 1 ) / 2,
- sizeof(uint16_t) );
- p_box->data.p_padb->i_pad2 =
- calloc( ( p_box->data.p_padb->i_sample_count + 1 ) / 2,
- sizeof(uint16_t) );
- p_box->data.p_padb->i_reserved2 =
- calloc( ( p_box->data.p_padb->i_sample_count + 1 ) / 2,
- sizeof(uint16_t) );
- p_box->data.p_padb->i_pad1 =
- calloc( ( p_box->data.p_padb->i_sample_count + 1 ) / 2,
- sizeof(uint16_t) );
-
+ p_box->data.p_padb->i_reserved1 = calloc( count, sizeof(uint16_t) );
+ p_box->data.p_padb->i_pad2 = calloc( count, sizeof(uint16_t) );
+ p_box->data.p_padb->i_reserved2 = calloc( count, sizeof(uint16_t) );
+ p_box->data.p_padb->i_pad1 = calloc( count, sizeof(uint16_t) );
for( i = 0; i < i_read / 2 ; i++ )
{
+ if( i >= count )
+ {
+ MP4_FreeBox_padb( p_box );
+ goto error;
+ }
p_box->data.p_padb->i_reserved1[i] = ( (*p_peek) >> 7 )&0x01;
p_box->data.p_padb->i_pad2[i] = ( (*p_peek) >> 4 )&0x07;
p_box->data.p_padb->i_reserved1[i] = ( (*p_peek) >> 3 )&0x01;
@@ -1681,15 +1689,9 @@ static int MP4_ReadBox_padb( stream_t *p_stream, MP4_Box_t *p_box )
i_read / 2 );
#endif
- MP4_READBOX_EXIT( 1 );
-}
-
-static void MP4_FreeBox_padb( MP4_Box_t *p_box )
-{
- FREE( p_box->data.p_padb->i_reserved1 );
- FREE( p_box->data.p_padb->i_pad2 );
- FREE( p_box->data.p_padb->i_reserved2 );
- FREE( p_box->data.p_padb->i_pad1 );
+ code = 1;
+error:
+ MP4_READBOX_EXIT( code );
}
static int MP4_ReadBox_elst( stream_t *p_stream, MP4_Box_t *p_box )
More information about the vlc-devel
mailing list