Fix integer overflow in MP4 RDRF boxes

author Rémi Denis-Courmont <rem@videolan.org>

Sat, 1 Mar 2008 20:22:48 +0000 (22:22 +0200)

committer Rémi Denis-Courmont <rem@videolan.org>

Sun, 2 Mar 2008 08:48:28 +0000 (10:48 +0200)
author Rémi Denis-Courmont <rem@videolan.org>
Sat, 1 Mar 2008 20:22:48 +0000 (22:22 +0200)
committer Rémi Denis-Courmont <rem@videolan.org>
Sun, 2 Mar 2008 08:48:28 +0000 (10:48 +0200)
diff --git a/modules/demux/mp4/libmp4.c b/modules/demux/mp4/libmp4.c

index fd668dd1231f33d131f736c2c6f183bdc6478f73..b5aee5faf04641cda0a91de457b1eb5689e62f93 100644 (file)
--- a/modules/demux/mp4/libmp4.c
+++ b/modules/demux/mp4/libmp4.c
@@ -1984,10 +1984,14 @@ static int MP4_ReadBox_rdrf( stream_t *p_stream, MP4_Box_t *p_box )
      MP4_GETVERSIONFLAGS( p_box->data.p_rdrf );
      MP4_GETFOURCC( p_box->data.p_rdrf->i_ref_type );
      MP4_GET4BYTES( i_len );
+    i_len++;
+
      if( i_len > 0 )
      {
          uint32_t i;
-        p_box->data.p_rdrf->psz_ref = malloc( i_len  + 1);
+        p_box->data.p_rdrf->psz_ref = malloc( i_len );
+        i_len--;
+
          for( i = 0; i < i_len; i++ )
          {
              MP4_GET1BYTE( p_box->data.p_rdrf->psz_ref[i] );
author	Rémi Denis-Courmont <rem@videolan.org>
	Sat, 1 Mar 2008 20:22:48 +0000 (22:22 +0200)
committer	Rémi Denis-Courmont <rem@videolan.org>
	Sun, 2 Mar 2008 08:48:28 +0000 (10:48 +0200)