From 3a6282755277ba9321d405c635e50da935d258a6 Mon Sep 17 00:00:00 2001
From: =?utf8?q?R=C3=A9mi=20Denis-Courmont?= <rem@videolan.org>
Date: Sat, 1 Mar 2008 18:54:56 +0000
Subject: [PATCH] Fix buffer overflow.

---
 modules/demux/mp4/libmp4.c | 46 ++++++++++++++++++++------------------
 1 file changed, 24 insertions(+), 22 deletions(-)

diff --git a/modules/demux/mp4/libmp4.c b/modules/demux/mp4/libmp4.c
index 04f0eb34ae..54ee0851ef 100644
--- a/modules/demux/mp4/libmp4.c
+++ b/modules/demux/mp4/libmp4.c
@@ -1663,9 +1663,19 @@ static void MP4_FreeBox_stdp( MP4_Box_t *p_box )
     FREENULL( p_box->data.p_stdp->i_priority );
 }
 
+static void MP4_FreeBox_padb( MP4_Box_t *p_box )
+{
+    FREENULL( p_box->data.p_padb->i_reserved1 );
+    FREENULL( p_box->data.p_padb->i_pad2 );
+    FREENULL( p_box->data.p_padb->i_reserved2 );
+    FREENULL( p_box->data.p_padb->i_pad1 );
+}
+
 static int MP4_ReadBox_padb( stream_t *p_stream, MP4_Box_t *p_box )
 {
+    int code = 0;
     unsigned int i;
+    uint32_t count;
 
     MP4_READBOX_ENTER( MP4_Box_data_padb_t );
 
@@ -1673,23 +1683,21 @@ static int MP4_ReadBox_padb( stream_t *p_stream, MP4_Box_t *p_box )
 
 
     MP4_GET4BYTES( p_box->data.p_padb->i_sample_count );
+    count = p_box->data.p_padb->i_sample_count;
+    count = (count + 1) / 2;
 
-    p_box->data.p_padb->i_reserved1 =
-        calloc( ( p_box->data.p_padb->i_sample_count + 1 ) / 2,
-                sizeof(uint16_t) );
-    p_box->data.p_padb->i_pad2 =
-        calloc( ( p_box->data.p_padb->i_sample_count + 1 ) / 2,
-                sizeof(uint16_t) );
-    p_box->data.p_padb->i_reserved2 =
-        calloc( ( p_box->data.p_padb->i_sample_count + 1 ) / 2,
-                sizeof(uint16_t) );
-    p_box->data.p_padb->i_pad1 =
-        calloc( ( p_box->data.p_padb->i_sample_count + 1 ) / 2,
-                sizeof(uint16_t) );
-
+    p_box->data.p_padb->i_reserved1 = calloc( count, sizeof(uint16_t) );
+    p_box->data.p_padb->i_pad2 = calloc( count, sizeof(uint16_t) );
+    p_box->data.p_padb->i_reserved2 = calloc( count, sizeof(uint16_t) );
+    p_box->data.p_padb->i_pad1 = calloc( count, sizeof(uint16_t) );
 
     for( i = 0; i < i_read / 2 ; i++ )
     {
+        if( i >= count )
+        {
+            MP4_FreeBox_padb( p_box );
+            goto error;
+        }
         p_box->data.p_padb->i_reserved1[i] = ( (*p_peek) >> 7 )&0x01;
         p_box->data.p_padb->i_pad2[i] = ( (*p_peek) >> 4 )&0x07;
         p_box->data.p_padb->i_reserved1[i] = ( (*p_peek) >> 3 )&0x01;
@@ -1703,15 +1711,9 @@ static int MP4_ReadBox_padb( stream_t *p_stream, MP4_Box_t *p_box )
                       i_read / 2 );
 
 #endif
-    MP4_READBOX_EXIT( 1 );
-}
-
-static void MP4_FreeBox_padb( MP4_Box_t *p_box )
-{
-    FREENULL( p_box->data.p_padb->i_reserved1 );
-    FREENULL( p_box->data.p_padb->i_pad2 );
-    FREENULL( p_box->data.p_padb->i_reserved2 );
-    FREENULL( p_box->data.p_padb->i_pad1 );
+    code = 1;
+error:
+    MP4_READBOX_EXIT( code );
 }
 
 static int MP4_ReadBox_elst( stream_t *p_stream, MP4_Box_t *p_box )
-- 
2.39.2