Fixed potential stack overflow in mp4 demuxer.

author Laurent Aimar <fenrir@videolan.org>

Tue, 15 Sep 2009 19:03:42 +0000 (21:03 +0200)

committer Laurent Aimar <fenrir@videolan.org>

Tue, 15 Sep 2009 19:04:48 +0000 (21:04 +0200)
author Laurent Aimar <fenrir@videolan.org>
Tue, 15 Sep 2009 19:03:42 +0000 (21:03 +0200)
committer Laurent Aimar <fenrir@videolan.org>
Tue, 15 Sep 2009 19:04:48 +0000 (21:04 +0200)
diff --git a/modules/demux/mp4/libmp4.c b/modules/demux/mp4/libmp4.c

index 8df00de92b855ac0054c8dc2b6c43ee238bbb799..f8869a558d49eb6105cacf279a10a786f271b00e 100644 (file)
--- a/modules/demux/mp4/libmp4.c
+++ b/modules/demux/mp4/libmp4.c
@@ -2876,18 +2876,24 @@ static void __MP4_BoxDumpStructure( stream_t *s,
      }
      else
      {
-        char str[512];
          unsigned int i;
-        memset( str, (uint8_t)' ', 512 );
+
+        char str[512];
+        if( i_level * 5 + 1 >= sizeof(str) )
+            return;
+
+        memset( str, ' ', sizeof(str) );
          for( i = 0; i < i_level; i++ )
          {
              str[i*5] = '|';
          }
-        if MP4_BOX_TYPE_ASCII()
-            sprintf( str + i_level * 5, "+ %4.4s size %d",
+        if( MP4_BOX_TYPE_ASCII() )
+            snprintf( &str[i_level * 5], sizeof(str) - 5*i_level,
+                      "+ %4.4s size %d",
                          (char*)&p_box->i_type, (uint32_t)p_box->i_size );
          else
-            sprintf( str + i_level * 5, "+ c%3.3s size %d",
+            snprintf( &str[i_level * 5], sizeof(str) - 5*i_level,
+                      "+ c%3.3s size %d",
                          (char*)&p_box->i_type+1, (uint32_t)p_box->i_size );
          msg_Dbg( s, "%s", str );
      }
author	Laurent Aimar <fenrir@videolan.org>
	Tue, 15 Sep 2009 19:03:42 +0000 (21:03 +0200)
committer	Laurent Aimar <fenrir@videolan.org>
	Tue, 15 Sep 2009 19:04:48 +0000 (21:04 +0200)