From 6a23b418694c337d5b7518c8c8f538d195ff2e36 Mon Sep 17 00:00:00 2001
From: =?utf8?q?R=C3=A9mi=20Denis-Courmont?= <rem@videolan.org>
Date: Thu, 7 Feb 2008 18:51:39 +0000
Subject: [PATCH] MP4: Fix heap-based buffer overflow (CORE-2008-0130) reported
 by Felipe Manzano and Anibal Sacoo from Core Security Technologies.

---
 modules/demux/mp4/mp4.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/modules/demux/mp4/mp4.c b/modules/demux/mp4/mp4.c
index 9ea5ce3d71..18687ab194 100644
--- a/modules/demux/mp4/mp4.c
+++ b/modules/demux/mp4/mp4.c
@@ -479,7 +479,7 @@ static int Open( vlc_object_t * p_this )
         msg_Err( p_demux, "cannot find any /moov/trak" );
         goto error;
     }
-    msg_Dbg( p_demux, "find %d track%c",
+    msg_Dbg( p_demux, "found %d track%c",
                         p_sys->i_tracks,
                         p_sys->i_tracks ? 's':' ' );
 
@@ -1151,6 +1151,12 @@ static int TrackCreateChunksIndex( demux_t *p_demux,
         for( i_chunk = p_stsc->data.p_stsc->i_first_chunk[i_index] - 1;
              i_chunk < i_last; i_chunk++ )
         {
+            if( i_chunk >= p_demux_track->i_chunk_count )
+            {
+                msg_Warn( p_demux, "corrupted chunk table" );
+                return VLC_EGENERIC;
+            }
+
             p_demux_track->chunk[i_chunk].i_sample_description_index =
                     p_stsc->data.p_stsc->i_sample_description_index[i_index];
             p_demux_track->chunk[i_chunk].i_sample_count =
-- 
2.39.2