oysteikt/mpd
0
0
Fork 0
Code Issues Pull Requests Releases Activity

mp4: fix potential integer overflow bug in the mp4_decode() function

Browse Source 
A crafted mp4 file could cause an integer overflow in mp4_decode
function in src/inputPlugins/mp4_plugin.c.  mp4ff_num_samples()
function returns some tainted value. sizeof(float) * numSamples is an
integer overflow operation if numSamples is too huge, so xmalloc will
allocate a small memory region.  I constructe a mp4 file, and use
faad2 to open the file. mp4ff_num_samples() returns -1. So I think mpd
bears from the same problem.
This commit is contained in:
Terry
2008-09-12 17:06:04 +02:00
committed by Max Kellermann
parent 89c8b19a8c
commit 79a14c9a10
1 changed files with 7 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
src/inputPlugins/mp4_plugin.c
View File

@@ -174,6 +174,13 @@ static int mp4_decode(struct decoder * mpd_decoder, InputStream * inStream)
total_time = ((float)file_time) / scale; total_time = ((float)file_time) / scale;
numSamples = mp4ff_num_samples(mp4fh, track); numSamples = mp4ff_num_samples(mp4fh, track);
if (numSamples > (long)(INT_MAX / sizeof(float))) {
ERROR("Integer overflow.\n");
faacDecClose(decoder);
mp4ff_close(mp4fh);
free(mp4cb);
return -1;
}
file_time = 0.0; file_time = 0.0;