vlc/vlc-3.0 | branch: master | Rémi Denis-Courmont <[email protected]> | Thu Nov 30 19:32:58 2017 +0200| [a9535b9bee74dd1360083ae91f2350841a118045] | committer: Rémi Denis-Courmont
mp4: fix integer overflow in HLDR box > http://git.videolan.org/gitweb.cgi/vlc/vlc-3.0.git/?a=commit;h=a9535b9bee74dd1360083ae91f2350841a118045 --- modules/demux/mp4/libmp4.c | 25 +++++++++++++------------ 1 file changed, 13 insertions(+), 12 deletions(-) diff --git a/modules/demux/mp4/libmp4.c b/modules/demux/mp4/libmp4.c index a4a0d4f821..6531dab768 100644 --- a/modules/demux/mp4/libmp4.c +++ b/modules/demux/mp4/libmp4.c @@ -1360,29 +1360,30 @@ static int MP4_ReadBox_hdlr( stream_t *p_stream, MP4_Box_t *p_box ) MP4_GET4BYTES( i_reserved ); p_box->data.p_hdlr->psz_name = NULL; + if( i_read >= SSIZE_MAX ) + MP4_READBOX_EXIT( 0 ); + if( i_read > 0 ) { - uint8_t *psz = p_box->data.p_hdlr->psz_name = malloc( i_read + 1 ); - if( unlikely( psz == NULL ) ) - MP4_READBOX_EXIT( 0 ); + size_t i_copy; /* Yes, I love .mp4 :( */ if( p_box->data.p_hdlr->i_predefined == VLC_FOURCC( 'm', 'h', 'l', 'r' ) ) { uint8_t i_len; - int i_copy; MP4_GET1BYTE( i_len ); - i_copy = __MIN( i_read, i_len ); - - memcpy( psz, p_peek, i_copy ); - p_box->data.p_hdlr->psz_name[i_copy] = '\0'; + i_copy = (i_len <= i_read) ? i_len : i_read; } else - { - memcpy( psz, p_peek, i_read ); - p_box->data.p_hdlr->psz_name[i_read] = '\0'; - } + i_copy = i_read; + + uint8_t *psz = p_box->data.p_hdlr->psz_name = malloc( i_copy + 1 ); + if( unlikely( psz == NULL ) ) + MP4_READBOX_EXIT( 0 ); + + memcpy( psz, p_peek, i_copy ); + p_box->data.p_hdlr->psz_name[i_copy] = '\0'; } #ifdef MP4_VERBOSE _______________________________________________ vlc-commits mailing list [email protected] https://mailman.videolan.org/listinfo/vlc-commits
