]> git.sesse.net Git - vlc/commitdiff
projects / vlc / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 0957289)
Fix (trunk-only) integer underflow in MP4 0xa9xxx box
authorRémi Denis-Courmont <rem@videolan.org>
Sat, 1 Mar 2008 20:32:30 +0000 (22:32 +0200)
committerRémi Denis-Courmont <rem@videolan.org>
Sun, 2 Mar 2008 08:48:28 +0000 (10:48 +0200)
Pointed-out-by: Drew Yao
Signed-off-by: Rémi Denis-Courmont <rem@videolan.org>
modules/demux/mp4/libmp4.c patch | blob | history

diff --git a/modules/demux/mp4/libmp4.c b/modules/demux/mp4/libmp4.c
index b5aee5faf04641cda0a91de457b1eb5689e62f93..a8af7fd5e346abfdb357c50bcd4b861a94291411 100644 (file)
--- a/modules/demux/mp4/libmp4.c
+++ b/modules/demux/mp4/libmp4.c
@@ -2115,21 +2115,24 @@ static int MP4_ReadBox_drms( stream_t *p_stream, MP4_Box_t *p_box )
 
 static int MP4_ReadBox_0xa9xxx( stream_t *p_stream, MP4_Box_t *p_box )
 {
-    uint16_t i_length, i_dummy;
+    uint16_t i16;
+    size_t i_length;
 
     MP4_READBOX_ENTER( MP4_Box_data_0xa9xxx_t );
 
     p_box->data.p_0xa9xxx->psz_text = NULL;
 
-    MP4_GET2BYTES( i_length );
+    MP4_GET2BYTES( i16 );
+    i_length = i16 + 1;
 
     if( i_length > 0 )
     {
-        MP4_GET2BYTES( i_dummy );
-        if( i_length > i_read ) i_length = i_read;
+        MP4_GET2BYTES( i16 );
+        if( i_length >= i_read ) i_length = i_read + 1;
 
-        p_box->data.p_0xa9xxx->psz_text = malloc( i_length + 1 );
+        p_box->data.p_0xa9xxx->psz_text = malloc( i_length );
 
+        i_length--;
         memcpy( p_box->data.p_0xa9xxx->psz_text,
                 p_peek, i_length );
         p_box->data.p_0xa9xxx->psz_text[i_length] = '\0';
@@ -2160,7 +2163,7 @@ static int MP4_ReadBox_0xa9xxx( stream_t *p_stream, MP4_Box_t *p_box )
             MP4_GET4BYTES( i_version );
             MP4_GET4BYTES( i_reserved );
             // version should be 0, flags should be 1 for text, 0 for data
-            if( i_version == 0x00000001 )
+            if( ( i_version == 0x00000001 ) && (i_data_len >= 12 ) )
             {
                 // the rest is the text
                 i_data_len -= 12;
Unnamed repository; edit this file 'description' to name the repository.