demux: mp4: fix buffer overflow in parsing of string boxes.

We ensure that pbox->i_size is never smaller than 8 to avoid an integer underflow in the third argument of the subsequent call to memcpy. We also make sure no truncation occurs when passing values derived from the 64 bit integer p_box->i_size to arguments of malloc and memcpy that may be 32 bit integers on 32 bit platforms. Signed-off-by: Jean-Baptiste Kempf <jb@videolan.org> (cherry picked from commit 2e7c7091a61aa5d07e7997b393d821e91f593c39) Signed-off-by: Jean-Baptiste Kempf <jb@videolan.org>

demux: mp4: fix buffer overflow in parsing of string boxes.
We ensure that pbox->i_size is never smaller than 8 to avoid an integer underflow in the third argument of the subsequent call to memcpy. We also make sure no truncation occurs when passing values derived from the 64 bit integer p_box->i_size to arguments of malloc and memcpy that may be 32 bit integers on 32 bit platforms. Signed-off-by: Jean-Baptiste Kempf <jb@videolan.org> (cherry picked from commit 2e7c7091a61aa5d07e7997b393d821e91f593c39) Signed-off-by: Jean-Baptiste Kempf <jb@videolan.org>
91446240 · Fabian Yamaguchi · Jean-Baptiste Kempf · 9e7bb77e · 91446240
Commit 91446240 authored Dec 05, 2014 by Fabian Yamaguchi Committed by Jean-Baptiste Kempf Dec 08, 2014
Hide whitespace changes
Inline Side-by-side

Showing with 3 additions and 0 deletions

modules/demux/mp4/libmp4.c modules/demux/mp4/libmp4.c +3 -0

No files found.
--- a/modules/demux/mp4/libmp4.c
+++ b/modules/demux/mp4/libmp4.c
@@ -2667,6 +2667,9 @@ static int MP4_ReadBox_name( stream_t *p_stream, MP4_Box_t *p_box )
 {
    MP4_READBOX_ENTER( MP4_Box_data_name_t );

+    if( p_box->i_size < 8 || p_box->i_size > SIZE_MAX )
+        MP4_READBOX_EXIT( 0 );
+
    p_box->data.p_name->psz_text = malloc( p_box->i_size + 1 - 8 ); /* +\0, -name, -size */
    if( p_box->data.p_name->psz_text == NULL )
        MP4_READBOX_EXIT( 0 );