From 3801779191c67ecf134df8336b30392ff65c7207 Mon Sep 17 00:00:00 2001 From: Francois Cartegnie Date: Tue, 3 Mar 2015 13:45:47 +0100 Subject: [PATCH] demux: libmp4: enforce bounds reading container --- modules/demux/mp4/libmp4.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/modules/demux/mp4/libmp4.c b/modules/demux/mp4/libmp4.c index f949c3177a..0abb781d73 100644 --- a/modules/demux/mp4/libmp4.c +++ b/modules/demux/mp4/libmp4.c @@ -244,6 +244,8 @@ static int MP4_ReadBoxContainerChildrenIndexed( stream_t *p_stream, return 0; } + off_t i_end = p_container->i_pos + p_container->i_size; + do { uint32_t i_index = 0; @@ -254,12 +256,16 @@ static int MP4_ReadBoxContainerChildrenIndexed( stream_t *p_stream, return 0; i_index = GetDWBE(&read[4]); } - if( ( p_box = MP4_ReadBox( p_stream, p_container ) ) == NULL ) continue; + if( ( p_box = MP4_ReadBox( p_stream, p_container ) ) == NULL ) + break; p_box->i_index = i_index; /* chain this box with the father and the other at same level */ MP4_BoxAddChild( p_container, p_box ); + if( p_container->i_size && stream_Tell( p_stream ) == i_end ) + break; + if( p_box->i_type == i_last_child ) { MP4_NextBox( p_stream, p_box ); @@ -268,6 +274,9 @@ static int MP4_ReadBoxContainerChildrenIndexed( stream_t *p_stream, } while( MP4_NextBox( p_stream, p_box ) == 1 ); + if ( p_container->i_size && stream_Tell( p_stream ) != i_end ) + MP4_Seek( p_stream, i_end ); + return 1; } -- 2.39.2