Jean-Baptiste Kempf pushed to branch 3.0.x at VideoLAN / VLC
Commits: b2721801 by François Cartegnie at 2026-05-11T07:38:01+02:00 demux: libmp4: add recursion limit for containers refs #29790 (cherry picked from commit 42741b88474fe124ed070dd5ca1691c82e64c76f) Signed-off-by: Marvin Scholz <[email protected]> - - - - - 1 changed file: - modules/demux/mp4/libmp4.c Changes: ===================================== modules/demux/mp4/libmp4.c ===================================== @@ -38,6 +38,8 @@ #include <assert.h> #include <limits.h> +#define MP4_DEPTH_MAX 32 + /* Some assumptions: * The input method HAS to be seekable */ @@ -108,6 +110,14 @@ static char *mp4_getstringz( uint8_t **restrict in, uint64_t *restrict size ) (p_str) = mp4_getstringz( &p_peek, &i_read ); \ while(0) +static unsigned GetDepth( const MP4_Box_t *box ) +{ + unsigned i = 0; + for( ; box ; box = box->p_father ) + i++; + return i; +} + static uint8_t *mp4_readbox_enter_common( stream_t *s, MP4_Box_t *box, size_t typesize, void (*release)( MP4_Box_t * ), @@ -429,6 +439,9 @@ static int MP4_ReadBoxContainerChildrenIndexed( stream_t *p_stream, return 0; } + if( GetDepth( p_container ) > MP4_DEPTH_MAX ) /* Prevent unbounded recursions */ + return 1; + uint64_t i_last_pos = 0; /* used to detect read failure loops */ const uint64_t i_end = p_container->i_pos + p_container->i_size; MP4_Box_t *p_box = NULL; View it on GitLab: https://code.videolan.org/videolan/vlc/-/commit/b27218019578eab1cf7668c3adc6607e96d5a6e8 -- View it on GitLab: https://code.videolan.org/videolan/vlc/-/commit/b27218019578eab1cf7668c3adc6607e96d5a6e8 You're receiving this email because of your account on code.videolan.org.
_______________________________________________ vlc-commits mailing list [email protected] https://mailman.videolan.org/listinfo/vlc-commits
