vlc | branch: master | Rémi Denis-Courmont <[email protected]> | Fri Nov 24 19:01:53 2017 +0200| [794b54c8fb52ec0d2cdbadae92b0226f8fafd799] | committer: Rémi Denis-Courmont
mp4: fix potential pointer overflow p_peek could go out-of-range, UB. > http://git.videolan.org/gitweb.cgi/vlc.git/?a=commit;h=794b54c8fb52ec0d2cdbadae92b0226f8fafd799 --- modules/demux/mp4/libmp4.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/modules/demux/mp4/libmp4.c b/modules/demux/mp4/libmp4.c index 29541c72c9..b5e5a0598b 100644 --- a/modules/demux/mp4/libmp4.c +++ b/modules/demux/mp4/libmp4.c @@ -566,19 +566,21 @@ static int MP4_ReadBoxContainer( stream_t *p_stream, MP4_Box_t *p_container ) static int MP4_ReadBoxSkip( stream_t *p_stream, MP4_Box_t *p_box ) { - /* XXX sometime moov is hiden in a free box */ + /* XXX sometime moov is hidden in a free box */ if( p_box->p_father && p_box->p_father->i_type == ATOM_root && p_box->i_type == ATOM_free ) { const uint8_t *p_peek; - int i_read; + size_t header_size = mp4_box_headersize( p_box ) + 4; vlc_fourcc_t i_fcc; - i_read = vlc_stream_Peek( p_stream, &p_peek, 44 ); + ssize_t i_read = vlc_stream_Peek( p_stream, &p_peek, 44 ); + if( unlikely(i_read < (ssize_t)header_size) ) + return 0; - p_peek += mp4_box_headersize( p_box ) + 4; - i_read -= mp4_box_headersize( p_box ) + 4; + p_peek += header_size; + i_read -= header_size; if( i_read >= 8 ) { _______________________________________________ vlc-commits mailing list [email protected] https://mailman.videolan.org/listinfo/vlc-commits
