[vlc-commits] demux: mp4: add sample overread check for non seekable case

Tue, 30 Apr 2019 06:33:06 -0700 

vlc/vlc-3.0 | branch: master | Francois Cartegnie <[email protected]> | Fri Apr 
26 12:42:01 2019 +0200| [06fab084cab29248305927c2f34c124504b29e56] | committer: 
Francois Cartegnie

demux: mp4: add sample overread check for non seekable case

refs broken #22228

(cherry picked from commit 49db2cce11739f9b23347ba67721a7eff467dfc6)

> http://git.videolan.org/gitweb.cgi/vlc/vlc-3.0.git/?a=commit;h=06fab084cab29248305927c2f34c124504b29e56
---

 modules/demux/mp4/mp4.c | 25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)

diff --git a/modules/demux/mp4/mp4.c b/modules/demux/mp4/mp4.c
index c70f6f6fd0..3e638c12e1 100644
--- a/modules/demux/mp4/mp4.c
+++ b/modules/demux/mp4/mp4.c
@@ -1169,6 +1169,27 @@ static block_t * MP4_RTPHint_Convert( demux_t *p_demux, 
block_t *p_block, vlc_fo
     return p_converted;
 }
 
+static uint64_t OverflowCheck( demux_t *p_demux, mp4_track_t *tk,
+                               uint64_t i_readpos, uint64_t i_samplessize )
+{
+    demux_sys_t *p_sys = p_demux->p_sys;
+    if( !p_sys->b_seekable && p_sys->b_fragmented &&
+         p_sys->context.i_post_mdat_offset )
+    {
+        /* avoid breaking non seekable demux */
+        if( i_readpos + i_samplessize > p_sys->context.i_post_mdat_offset )
+        {
+            msg_Err(p_demux, "Broken file. track[0x%x] "
+                             "Sample @%" PRIu64 " overflowing "
+                             "parent mdat by %" PRIu64,
+                    tk->i_track_ID, i_readpos,
+                    i_readpos + i_samplessize - 
p_sys->context.i_post_mdat_offset );
+            i_samplessize = p_sys->context.i_post_mdat_offset - i_readpos;
+        }
+    }
+    return i_samplessize;
+}
+
 /*****************************************************************************
  * Demux: read packet and send them to decoders
  *****************************************************************************
@@ -1221,6 +1242,8 @@ static int DemuxTrack( demux_t *p_demux, mp4_track_t *tk, 
uint64_t i_readpos,
                 }
             }
 
+            i_samplessize = OverflowCheck( p_demux, tk, i_readpos, 
i_samplessize );
+
             /* now read pes */
             if( !(p_block = vlc_stream_Block( p_demux->s, i_samplessize )) )
             {
@@ -4331,6 +4354,8 @@ static int FragDemuxTrack( demux_t *p_demux, mp4_track_t 
*p_track,
         if( !len )
             msg_Warn(p_demux, "Zero length sample in trun.");
 
+        len = OverflowCheck( p_demux, p_track, vlc_stream_Tell(p_demux->s), 
len );
+
         block_t *p_block = vlc_stream_Block( p_demux->s, len );
         uint32_t i_read = ( p_block ) ? p_block->i_buffer : 0;
         p_track->context.i_trun_sample_pos += i_read;

_______________________________________________
vlc-commits mailing list
[email protected]
https://mailman.videolan.org/listinfo/vlc-commits

Reply via email to