[vlc-devel] commit: Fix integer overflow in MP4 RDRF boxes ( Rémi Denis-Courmont )
git version control
git at videolan.org
Mon Mar 3 21:08:11 CET 2008
vlc | branch: 0.8.6-bugfix | Rémi Denis-Courmont <rem at videolan.org> | Sat Mar 1 22:22:48 2008 +0200| [5f3d2122e2eb2e0b65e2409a1985b565332e2f5d]
Fix integer overflow in MP4 RDRF boxes
Pointed-out-by: Drew Yao
Signed-off-by: Rémi Denis-Courmont <rem at videolan.org>
> http://git.videolan.org/gitweb.cgi/vlc.git/?a=commit;h=5f3d2122e2eb2e0b65e2409a1985b565332e2f5d
---
modules/demux/mp4/libmp4.c | 6 +++++-
1 files changed, 5 insertions(+), 1 deletions(-)
diff --git a/modules/demux/mp4/libmp4.c b/modules/demux/mp4/libmp4.c
index 8a762ea..8b1acd8 100644
--- a/modules/demux/mp4/libmp4.c
+++ b/modules/demux/mp4/libmp4.c
@@ -1965,10 +1965,14 @@ static int MP4_ReadBox_rdrf( stream_t *p_stream, MP4_Box_t *p_box )
MP4_GETVERSIONFLAGS( p_box->data.p_rdrf );
MP4_GETFOURCC( p_box->data.p_rdrf->i_ref_type );
MP4_GET4BYTES( i_len );
+ i_len++;
+
if( i_len > 0 )
{
uint32_t i;
- p_box->data.p_rdrf->psz_ref = malloc( i_len + 1);
+ p_box->data.p_rdrf->psz_ref = malloc( i_len );
+ i_len--;
+
for( i = 0; i < i_len; i++ )
{
MP4_GET1BYTE( p_box->data.p_rdrf->psz_ref[i] );
More information about the vlc-devel
mailing list