Commit 6a23b418 authored by Rémi Denis-Courmont's avatar Rémi Denis-Courmont
Browse files

MP4: Fix heap-based buffer overflow (CORE-2008-0130)

reported by Felipe Manzano and Anibal Sacoo from Core Security Technologies.
parent c5a33834
...@@ -479,7 +479,7 @@ static int Open( vlc_object_t * p_this ) ...@@ -479,7 +479,7 @@ static int Open( vlc_object_t * p_this )
msg_Err( p_demux, "cannot find any /moov/trak" ); msg_Err( p_demux, "cannot find any /moov/trak" );
goto error; goto error;
} }
msg_Dbg( p_demux, "find %d track%c", msg_Dbg( p_demux, "found %d track%c",
p_sys->i_tracks, p_sys->i_tracks,
p_sys->i_tracks ? 's':' ' ); p_sys->i_tracks ? 's':' ' );
...@@ -1151,6 +1151,12 @@ static int TrackCreateChunksIndex( demux_t *p_demux, ...@@ -1151,6 +1151,12 @@ static int TrackCreateChunksIndex( demux_t *p_demux,
for( i_chunk = p_stsc->data.p_stsc->i_first_chunk[i_index] - 1; for( i_chunk = p_stsc->data.p_stsc->i_first_chunk[i_index] - 1;
i_chunk < i_last; i_chunk++ ) i_chunk < i_last; i_chunk++ )
{ {
if( i_chunk >= p_demux_track->i_chunk_count )
{
msg_Warn( p_demux, "corrupted chunk table" );
return VLC_EGENERIC;
}
p_demux_track->chunk[i_chunk].i_sample_description_index = p_demux_track->chunk[i_chunk].i_sample_description_index =
p_stsc->data.p_stsc->i_sample_description_index[i_index]; p_stsc->data.p_stsc->i_sample_description_index[i_index];
p_demux_track->chunk[i_chunk].i_sample_count = p_demux_track->chunk[i_chunk].i_sample_count =
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment