Commit 09572892 authored by Rémi Denis-Courmont's avatar Rémi Denis-Courmont

Fix integer overflow in MP4 RDRF boxes

Pointed-out-by: Drew Yao
Signed-off-by: Rémi Denis-Courmont's avatarRémi Denis-Courmont <rem@videolan.org>
parent 0e90ac58
......@@ -1984,10 +1984,14 @@ static int MP4_ReadBox_rdrf( stream_t *p_stream, MP4_Box_t *p_box )
MP4_GETVERSIONFLAGS( p_box->data.p_rdrf );
MP4_GETFOURCC( p_box->data.p_rdrf->i_ref_type );
MP4_GET4BYTES( i_len );
i_len++;
if( i_len > 0 )
{
uint32_t i;
p_box->data.p_rdrf->psz_ref = malloc( i_len + 1);
p_box->data.p_rdrf->psz_ref = malloc( i_len );
i_len--;
for( i = 0; i < i_len; i++ )
{
MP4_GET1BYTE( p_box->data.p_rdrf->psz_ref[i] );
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment