demux: libmp4: fix heap write ofw in chan (fix #12371)

16a51ea7 · Francois Cartegnie · 54bbfac2 · 16a51ea7
Commit 16a51ea7 authored Oct 09, 2014 by Francois Cartegnie
Hide whitespace changes
Inline Side-by-side

Showing with 10 additions and 3 deletions

modules/demux/mp4/libmp4.c modules/demux/mp4/libmp4.c +10 -3

No files found.
--- a/modules/demux/mp4/libmp4.c
+++ b/modules/demux/mp4/libmp4.c
@@ -1567,23 +1567,30 @@ static int MP4_ReadBox_stsdext_chan( stream_t *p_stream, MP4_Box_t *p_box )
    MP4_GET4BYTES( p_chan->layout.i_channels_layout_tag );
    MP4_GET4BYTES( p_chan->layout.i_channels_bitmap );
    MP4_GET4BYTES( p_chan->layout.i_channels_description_count );
-    if ( i_read < p_chan->layout.i_channels_description_count * 24 )
+    size_t i_descsize = 8 + 3 * sizeof(float);
+    if ( (size_t)i_read < p_chan->layout.i_channels_description_count * i_descsize )
        MP4_READBOX_EXIT( 0 );
    p_chan->layout.p_descriptions =
-        malloc( p_chan->layout.i_channels_description_count * 24 );
+        malloc( p_chan->layout.i_channels_description_count * i_descsize );
    if ( !p_chan->layout.p_descriptions )
        MP4_READBOX_EXIT( 0 );
-    for( uint32_t i=0; i<p_chan->layout.i_channels_description_count; i++ )
+    uint32_t i;
+    for( i=0; i<p_chan->layout.i_channels_description_count; i++ )
    {
+        if ( i_read < 20 )
+            break;
        MP4_GET4BYTES( p_chan->layout.p_descriptions[i].i_channel_label );
        MP4_GET4BYTES( p_chan->layout.p_descriptions[i].i_channel_flags );
        MP4_GET4BYTES( p_chan->layout.p_descriptions[i].f_coordinates[0] );
        MP4_GET4BYTES( p_chan->layout.p_descriptions[i].f_coordinates[1] );
        MP4_GET4BYTES( p_chan->layout.p_descriptions[i].f_coordinates[2] );
    }
+    if ( i<p_chan->layout.i_channels_description_count )
+        p_chan->layout.i_channels_description_count = i;
 #ifdef MP4_VERBOSE
    msg_Dbg( p_stream,