Commit 91446240 authored by Fabian Yamaguchi's avatar Fabian Yamaguchi Committed by Jean-Baptiste Kempf

demux: mp4: fix buffer overflow in parsing of string boxes.

We ensure that pbox->i_size is never smaller than 8 to avoid an
integer underflow in the third argument of the subsequent call to
memcpy. We also make sure no truncation occurs when passing values
derived from the 64 bit integer p_box->i_size to arguments of malloc
and memcpy that may be 32 bit integers on 32 bit platforms.
Signed-off-by: default avatarJean-Baptiste Kempf <jb@videolan.org>
(cherry picked from commit 2e7c7091a61aa5d07e7997b393d821e91f593c39)
Signed-off-by: default avatarJean-Baptiste Kempf <jb@videolan.org>
parent 9e7bb77e
...@@ -2667,6 +2667,9 @@ static int MP4_ReadBox_name( stream_t *p_stream, MP4_Box_t *p_box ) ...@@ -2667,6 +2667,9 @@ static int MP4_ReadBox_name( stream_t *p_stream, MP4_Box_t *p_box )
{ {
MP4_READBOX_ENTER( MP4_Box_data_name_t ); MP4_READBOX_ENTER( MP4_Box_data_name_t );
if( p_box->i_size < 8 || p_box->i_size > SIZE_MAX )
MP4_READBOX_EXIT( 0 );
p_box->data.p_name->psz_text = malloc( p_box->i_size + 1 - 8 ); /* +\0, -name, -size */ p_box->data.p_name->psz_text = malloc( p_box->i_size + 1 - 8 ); /* +\0, -name, -size */
if( p_box->data.p_name->psz_text == NULL ) if( p_box->data.p_name->psz_text == NULL )
MP4_READBOX_EXIT( 0 ); MP4_READBOX_EXIT( 0 );
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment