[vlc-commits] mp4: check CTTS size before allocation

[Rémi Denis-Courmont]

vlc | branch: master | Rémi Denis-Courmont <r...@remlab.net> | Fri Nov 24 
20:01:01 2017 +0200| [90e610081180134d244d2f9220070916685d3fad] | committer: 
Rémi Denis-Courmont

mp4: check CTTS size before allocation

This avoids allocating stupid amounts of memory.

Note: there is still an infinite loop if count == 0xffffffff
(with a suitably enormous input).

> http://git.videolan.org/gitweb.cgi/vlc.git/?a=commit;h=90e610081180134d244d2f9220070916685d3fad
---

 modules/demux/mp4/libmp4.c | 27 ++++++++++++---------------
 1 file changed, 12 insertions(+), 15 deletions(-)

diff --git a/modules/demux/mp4/libmp4.c b/modules/demux/mp4/libmp4.c
index 4e105cf684..de973056ca 100644
--- a/modules/demux/mp4/libmp4.c
+++ b/modules/demux/mp4/libmp4.c
@@ -1595,34 +1595,31 @@ static void MP4_FreeBox_ctts( MP4_Box_t *p_box )
 
 static int MP4_ReadBox_ctts( stream_t *p_stream, MP4_Box_t *p_box )
 {
+    uint32_t count;
+
     MP4_READBOX_ENTER( MP4_Box_data_ctts_t, MP4_FreeBox_ctts );
 
     MP4_GETVERSIONFLAGS( p_box->data.p_ctts );
+    MP4_GET4BYTES( count );
 
-    MP4_GET4BYTES( p_box->data.p_ctts->i_entry_count );
+    if( UINT64_C(8) * count > i_read )
+        MP4_READBOX_EXIT( 0 );
 
-    p_box->data.p_ctts->pi_sample_count =
-        calloc( p_box->data.p_ctts->i_entry_count, sizeof(uint32_t) );
-    p_box->data.p_ctts->pi_sample_offset =
-        calloc( p_box->data.p_ctts->i_entry_count, sizeof(int32_t) );
-    if( ( p_box->data.p_ctts->pi_sample_count == NULL )
-     || ( p_box->data.p_ctts->pi_sample_offset == NULL ) )
-    {
+    p_box->data.p_ctts->pi_sample_count = vlc_alloc( count, sizeof(uint32_t) );
+    p_box->data.p_ctts->pi_sample_offset = vlc_alloc( count, sizeof(int32_t) );
+    if( unlikely(p_box->data.p_ctts->pi_sample_count == NULL
+              || p_box->data.p_ctts->pi_sample_offset == NULL) )
         MP4_READBOX_EXIT( 0 );
-    }
+    p_box->data.p_ctts->i_entry_count = count;
 
-    uint32_t i = 0;
-    for( ; (i < p_box->data.p_ctts->i_entry_count )&&( i_read >=8 ); i++ )
+    for( uint32_t i = 0; i < count; i++ )
     {
         MP4_GET4BYTES( p_box->data.p_ctts->pi_sample_count[i] );
         MP4_GET4BYTES( p_box->data.p_ctts->pi_sample_offset[i] );
     }
-    if ( i < p_box->data.p_ctts->i_entry_count )
-        p_box->data.p_ctts->i_entry_count = i;
 
 #ifdef MP4_VERBOSE
-    msg_Dbg( p_stream, "read box: \"ctts\" entry-count %d",
-                      p_box->data.p_ctts->i_entry_count );
+    msg_Dbg( p_stream, "read box: \"ctts\" entry-count %"PRIu32, count );
 
 #endif
     MP4_READBOX_EXIT( 1 );

_______________________________________________
vlc-commits mailing list
vlc-commits@videolan.org
https://mailman.videolan.org/listinfo/vlc-commits