vlc | branch: master | Francois Cartegnie <fcvlc...@free.fr> | Mon Apr 14 21:14:07 2014 +0200| [4c3f3f823d65396db79e98e0e117e9c6c4f4928b] | committer: Francois Cartegnie
demux: mp4: fix mdat box reading > http://git.videolan.org/gitweb.cgi/vlc.git/?a=commit;h=4c3f3f823d65396db79e98e0e117e9c6c4f4928b --- modules/demux/mp4/mp4.c | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/modules/demux/mp4/mp4.c b/modules/demux/mp4/mp4.c index 52c31cd..5177d57 100644 --- a/modules/demux/mp4/mp4.c +++ b/modules/demux/mp4/mp4.c @@ -3771,11 +3771,16 @@ static int MP4_frg_GetChunk( demux_t *p_demux, MP4_Box_t *p_chunk, unsigned *i_t if( !ret->p_sample_data ) return VLC_ENOMEM; - uint32_t dur = 0, len; + uint32_t dur = 0, i_mdatlen = 0, len; uint32_t chunk_duration = 0, chunk_size = 0; /* Skip header of mdat */ - stream_Read( p_demux->s, NULL, 8 ); + uint8_t mdat[8]; + int i_read = stream_Read( p_demux->s, &mdat, 8 ); + i_mdatlen = GetDWBE( mdat ); + if ( i_read < 8 || i_mdatlen < 8 || + VLC_FOURCC( mdat[4], mdat[5], mdat[6], mdat[7] ) != ATOM_mdat ) + return VLC_EGENERIC; for( uint32_t i = 0; i < ret->i_sample_count; i++) { @@ -3799,6 +3804,9 @@ static int MP4_frg_GetChunk( demux_t *p_demux, MP4_Box_t *p_chunk, unsigned *i_t else len = ret->p_sample_size[i] = default_size; + if ( chunk_size + len > ( i_mdatlen - 8 ) ) + return VLC_EGENERIC; + ret->p_sample_data[i] = malloc( len ); if( ret->p_sample_data[i] == NULL ) return VLC_ENOMEM; @@ -3814,6 +3822,10 @@ static int MP4_frg_GetChunk( demux_t *p_demux, MP4_Box_t *p_chunk, unsigned *i_t p_track->fmt.i_cat == VIDEO_ES ) ReInitDecoder( p_demux, p_track ); + /* Skip if we didn't reach the end of mdat box */ + if ( chunk_size < (i_mdatlen - 8) ) + stream_ReadU32( p_demux->s, NULL, i_mdatlen - chunk_size - 8 ); + p_track->b_has_non_empty_cchunk = true; return VLC_SUCCESS; } _______________________________________________ vlc-commits mailing list vlc-commits@videolan.org https://mailman.videolan.org/listinfo/vlc-commits