Fixed potential stack overflow in mp4 demuxer.

Reported by Sebastian Apelt, Siberas.

Fixed potential stack overflow in mp4 demuxer.
Reported by Sebastian Apelt, Siberas.
c5b02d01 · Laurent Aimar · 861e374d · c5b02d01
Commit c5b02d01 authored Sep 15, 2009 by Laurent Aimar
Hide whitespace changes
Inline Side-by-side

Showing with 11 additions and 5 deletions

modules/demux/mp4/libmp4.c modules/demux/mp4/libmp4.c +11 -5

No files found.
--- a/modules/demux/mp4/libmp4.c
+++ b/modules/demux/mp4/libmp4.c
@@ -2876,18 +2876,24 @@ static void __MP4_BoxDumpStructure( stream_t *s,
    }
    else
    {
-        char str[512];
        unsigned int i;
-        memset( str, (uint8_t)' ', 512 );
+
+        char str[512];
+        if( i_level * 5 + 1 >= sizeof(str) )
+            return;
+
+        memset( str, ' ', sizeof(str) );
        for( i = 0; i < i_level; i++ )
        {
            str[i*5] = '|';
        }
-        if MP4_BOX_TYPE_ASCII()
-            sprintf( str + i_level * 5, "+ %4.4s size %d",
+        if( MP4_BOX_TYPE_ASCII() )
+            snprintf( &str[i_level * 5], sizeof(str) - 5*i_level,
+                      "+ %4.4s size %d",
                        (char*)&p_box->i_type, (uint32_t)p_box->i_size );
        else
-            sprintf( str + i_level * 5, "+ c%3.3s size %d",
+            snprintf( &str[i_level * 5], sizeof(str) - 5*i_level,
+                      "+ c%3.3s size %d",
                        (char*)&p_box->i_type+1, (uint32_t)p_box->i_size );
        msg_Dbg( s, "%s", str );
    }