Commit 8b46168d authored by Rémi Denis-Courmont's avatar Rémi Denis-Courmont

Fix buffer overflow.

parent c51d4c68
...@@ -1638,12 +1638,22 @@ static int MP4_ReadBox_stdp( stream_t *p_stream, MP4_Box_t *p_box ) ...@@ -1638,12 +1638,22 @@ static int MP4_ReadBox_stdp( stream_t *p_stream, MP4_Box_t *p_box )
static void MP4_FreeBox_stdp( MP4_Box_t *p_box ) static void MP4_FreeBox_stdp( MP4_Box_t *p_box )
{ {
FREE( p_box->data.p_stdp->i_priority ) FREENULL( p_box->data.p_stdp->i_priority );
}
static void MP4_FreeBox_padb( MP4_Box_t *p_box )
{
FREENULL( p_box->data.p_padb->i_reserved1 );
FREENULL( p_box->data.p_padb->i_pad2 );
FREENULL( p_box->data.p_padb->i_reserved2 );
FREENULL( p_box->data.p_padb->i_pad1 );
} }
static int MP4_ReadBox_padb( stream_t *p_stream, MP4_Box_t *p_box ) static int MP4_ReadBox_padb( stream_t *p_stream, MP4_Box_t *p_box )
{ {
int code = 0;
unsigned int i; unsigned int i;
uint32_t count;
MP4_READBOX_ENTER( MP4_Box_data_padb_t ); MP4_READBOX_ENTER( MP4_Box_data_padb_t );
...@@ -1651,23 +1661,21 @@ static int MP4_ReadBox_padb( stream_t *p_stream, MP4_Box_t *p_box ) ...@@ -1651,23 +1661,21 @@ static int MP4_ReadBox_padb( stream_t *p_stream, MP4_Box_t *p_box )
MP4_GET4BYTES( p_box->data.p_padb->i_sample_count ); MP4_GET4BYTES( p_box->data.p_padb->i_sample_count );
count = p_box->data.p_padb->i_sample_count;
count = (count + 1) / 2;
p_box->data.p_padb->i_reserved1 = p_box->data.p_padb->i_reserved1 = calloc( count, sizeof(uint16_t) );
calloc( ( p_box->data.p_padb->i_sample_count + 1 ) / 2, p_box->data.p_padb->i_pad2 = calloc( count, sizeof(uint16_t) );
sizeof(uint16_t) ); p_box->data.p_padb->i_reserved2 = calloc( count, sizeof(uint16_t) );
p_box->data.p_padb->i_pad2 = p_box->data.p_padb->i_pad1 = calloc( count, sizeof(uint16_t) );
calloc( ( p_box->data.p_padb->i_sample_count + 1 ) / 2,
sizeof(uint16_t) );
p_box->data.p_padb->i_reserved2 =
calloc( ( p_box->data.p_padb->i_sample_count + 1 ) / 2,
sizeof(uint16_t) );
p_box->data.p_padb->i_pad1 =
calloc( ( p_box->data.p_padb->i_sample_count + 1 ) / 2,
sizeof(uint16_t) );
for( i = 0; i < i_read / 2 ; i++ ) for( i = 0; i < i_read / 2 ; i++ )
{ {
if( i >= count )
{
MP4_FreeBox_padb( p_box );
goto error;
}
p_box->data.p_padb->i_reserved1[i] = ( (*p_peek) >> 7 )&0x01; p_box->data.p_padb->i_reserved1[i] = ( (*p_peek) >> 7 )&0x01;
p_box->data.p_padb->i_pad2[i] = ( (*p_peek) >> 4 )&0x07; p_box->data.p_padb->i_pad2[i] = ( (*p_peek) >> 4 )&0x07;
p_box->data.p_padb->i_reserved1[i] = ( (*p_peek) >> 3 )&0x01; p_box->data.p_padb->i_reserved1[i] = ( (*p_peek) >> 3 )&0x01;
...@@ -1681,15 +1689,9 @@ static int MP4_ReadBox_padb( stream_t *p_stream, MP4_Box_t *p_box ) ...@@ -1681,15 +1689,9 @@ static int MP4_ReadBox_padb( stream_t *p_stream, MP4_Box_t *p_box )
i_read / 2 ); i_read / 2 );
#endif #endif
MP4_READBOX_EXIT( 1 ); code = 1;
} error:
MP4_READBOX_EXIT( code );
static void MP4_FreeBox_padb( MP4_Box_t *p_box )
{
FREE( p_box->data.p_padb->i_reserved1 );
FREE( p_box->data.p_padb->i_pad2 );
FREE( p_box->data.p_padb->i_reserved2 );
FREE( p_box->data.p_padb->i_pad1 );
} }
static int MP4_ReadBox_elst( stream_t *p_stream, MP4_Box_t *p_box ) static int MP4_ReadBox_elst( stream_t *p_stream, MP4_Box_t *p_box )
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment