[vlc-devel] commit: Fixed potential stack overflow in mp4 demuxer. (Laurent Aimar )

git version control git at videolan.org
Tue Sep 15 23:15:46 CEST 2009


vlc | branch: 1.0-bugfix | Laurent Aimar <fenrir at videolan.org> | Tue Sep 15 21:03:42 2009 +0200| [373cca961416795d92a12a9db010c9e11d2afa29] | committer: Laurent Aimar 

Fixed potential stack overflow in mp4 demuxer.

Reported by Sebastian Apelt, Siberas.
(cherry picked from commit c5b02d011b8c634d041167f4d2936b55eca4d18d)

> http://git.videolan.org/gitweb.cgi/vlc.git/?a=commit;h=373cca961416795d92a12a9db010c9e11d2afa29
---

 modules/demux/mp4/libmp4.c |   16 +++++++++++-----
 1 files changed, 11 insertions(+), 5 deletions(-)

diff --git a/modules/demux/mp4/libmp4.c b/modules/demux/mp4/libmp4.c
index c4e9db1..9bf1a9d 100644
--- a/modules/demux/mp4/libmp4.c
+++ b/modules/demux/mp4/libmp4.c
@@ -2876,18 +2876,24 @@ static void __MP4_BoxDumpStructure( stream_t *s,
     }
     else
     {
-        char str[512];
         unsigned int i;
-        memset( str, (uint8_t)' ', 512 );
+
+        char str[512];
+        if( i_level * 5 + 1 >= sizeof(str) )
+            return;
+
+        memset( str, ' ', sizeof(str) );
         for( i = 0; i < i_level; i++ )
         {
             str[i*5] = '|';
         }
-        if MP4_BOX_TYPE_ASCII()
-            sprintf( str + i_level * 5, "+ %4.4s size %d",
+        if( MP4_BOX_TYPE_ASCII() )
+            snprintf( &str[i_level * 5], sizeof(str) - 5*i_level,
+                      "+ %4.4s size %d",
                         (char*)&p_box->i_type, (uint32_t)p_box->i_size );
         else
-            sprintf( str + i_level * 5, "+ c%3.3s size %d",
+            snprintf( &str[i_level * 5], sizeof(str) - 5*i_level,
+                      "+ c%3.3s size %d",
                         (char*)&p_box->i_type+1, (uint32_t)p_box->i_size );
         msg_Dbg( s, "%s", str );
     }




More information about the vlc-devel mailing list