Skip to content

V
vlc-2-2
Commit 6f1e0a1c authored by Francois Cartegnie's avatar Francois Cartegnie Committed by Jean-Baptiste Kempf
Browse files
Options

demux: mp4: fix heap read overflow in avcc (fix #12267) 

(cherry picked from commit 8063cb85bb9adf5c9147336c13d2ba5696e6f3e2)
Signed-off-by: default avatarJean-Baptiste Kempf <jb@videolan.org>
parent faf9aa57
Show whitespace changes
Inline Side-by-side
Showing with 11 additions and 2 deletions
modules/demux/mp4/libmp4.c
View file @ 6f1e0a1c
...@@ -1396,9 +1396,11 @@ static int MP4_ReadBox_avcC( stream_t *p_stream, MP4_Box_t *p_box ) ...@@ -1396,9 +1396,11 @@ static int MP4_ReadBox_avcC( stream_t *p_stream, MP4_Box_t *p_box )
if( !p_avcC->i_sps_length || !p_avcC->sps ) if( !p_avcC->i_sps_length || !p_avcC->sps )
goto error; goto error;
for( i = 0; i < p_avcC->i_sps; i++ ) for( i = 0; i < p_avcC->i_sps && i_read; i++ )
{ {
MP4_GET2BYTES( p_avcC->i_sps_length[i] ); MP4_GET2BYTES( p_avcC->i_sps_length[i] );
if ( p_avcC->i_sps_length[i] > i_read )
goto error;
p_avcC->sps[i] = malloc( p_avcC->i_sps_length[i] ); p_avcC->sps[i] = malloc( p_avcC->i_sps_length[i] );
if( p_avcC->sps[i] ) if( p_avcC->sps[i] )
memcpy( p_avcC->sps[i], p_peek, p_avcC->i_sps_length[i] ); memcpy( p_avcC->sps[i], p_peek, p_avcC->i_sps_length[i] );
...@@ -1406,6 +1408,8 @@ static int MP4_ReadBox_avcC( stream_t *p_stream, MP4_Box_t *p_box ) ...@@ -1406,6 +1408,8 @@ static int MP4_ReadBox_avcC( stream_t *p_stream, MP4_Box_t *p_box )
p_peek += p_avcC->i_sps_length[i]; p_peek += p_avcC->i_sps_length[i];
i_read -= p_avcC->i_sps_length[i]; i_read -= p_avcC->i_sps_length[i];
} }
if ( i != p_avcC->i_sps )
goto error;
} }
MP4_GET1BYTE( p_avcC->i_pps ); MP4_GET1BYTE( p_avcC->i_pps );
...@@ -1417,9 +1421,11 @@ static int MP4_ReadBox_avcC( stream_t *p_stream, MP4_Box_t *p_box ) ...@@ -1417,9 +1421,11 @@ static int MP4_ReadBox_avcC( stream_t *p_stream, MP4_Box_t *p_box )
if( !p_avcC->i_pps_length || !p_avcC->pps ) if( !p_avcC->i_pps_length || !p_avcC->pps )
goto error; goto error;
for( i = 0; i < p_avcC->i_pps; i++ ) for( i = 0; i < p_avcC->i_pps && i_read; i++ )
{ {
MP4_GET2BYTES( p_avcC->i_pps_length[i] ); MP4_GET2BYTES( p_avcC->i_pps_length[i] );
if( p_avcC->i_pps_length[i] > i_read )
goto error;
p_avcC->pps[i] = malloc( p_avcC->i_pps_length[i] ); p_avcC->pps[i] = malloc( p_avcC->i_pps_length[i] );
if( p_avcC->pps[i] ) if( p_avcC->pps[i] )
memcpy( p_avcC->pps[i], p_peek, p_avcC->i_pps_length[i] ); memcpy( p_avcC->pps[i], p_peek, p_avcC->i_pps_length[i] );
...@@ -1427,6 +1433,8 @@ static int MP4_ReadBox_avcC( stream_t *p_stream, MP4_Box_t *p_box ) ...@@ -1427,6 +1433,8 @@ static int MP4_ReadBox_avcC( stream_t *p_stream, MP4_Box_t *p_box )
p_peek += p_avcC->i_pps_length[i]; p_peek += p_avcC->i_pps_length[i];
i_read -= p_avcC->i_pps_length[i]; i_read -= p_avcC->i_pps_length[i];
} }
if ( i != p_avcC->i_pps )
goto error;
} }
#ifdef MP4_VERBOSE #ifdef MP4_VERBOSE
msg_Dbg( p_stream, msg_Dbg( p_stream,
...@@ -1449,6 +1457,7 @@ static int MP4_ReadBox_avcC( stream_t *p_stream, MP4_Box_t *p_box ) ...@@ -1449,6 +1457,7 @@ static int MP4_ReadBox_avcC( stream_t *p_stream, MP4_Box_t *p_box )
MP4_READBOX_EXIT( 1 ); MP4_READBOX_EXIT( 1 );
error: error:
MP4_FreeBox_avcC( p_box );
MP4_READBOX_EXIT( 0 ); MP4_READBOX_EXIT( 0 );
} }
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment