Commit 90e61008 authored by Rémi Denis-Courmont's avatar Rémi Denis-Courmont

mp4: check CTTS size before allocation

This avoids allocating stupid amounts of memory.

Note: there is still an infinite loop if count == 0xffffffff
(with a suitably enormous input).
parent 398e5ff0
......@@ -1595,34 +1595,31 @@ static void MP4_FreeBox_ctts( MP4_Box_t *p_box )
static int MP4_ReadBox_ctts( stream_t *p_stream, MP4_Box_t *p_box )
{
uint32_t count;
MP4_READBOX_ENTER( MP4_Box_data_ctts_t, MP4_FreeBox_ctts );
MP4_GETVERSIONFLAGS( p_box->data.p_ctts );
MP4_GET4BYTES( count );
MP4_GET4BYTES( p_box->data.p_ctts->i_entry_count );
if( UINT64_C(8) * count > i_read )
MP4_READBOX_EXIT( 0 );
p_box->data.p_ctts->pi_sample_count =
calloc( p_box->data.p_ctts->i_entry_count, sizeof(uint32_t) );
p_box->data.p_ctts->pi_sample_offset =
calloc( p_box->data.p_ctts->i_entry_count, sizeof(int32_t) );
if( ( p_box->data.p_ctts->pi_sample_count == NULL )
|| ( p_box->data.p_ctts->pi_sample_offset == NULL ) )
{
p_box->data.p_ctts->pi_sample_count = vlc_alloc( count, sizeof(uint32_t) );
p_box->data.p_ctts->pi_sample_offset = vlc_alloc( count, sizeof(int32_t) );
if( unlikely(p_box->data.p_ctts->pi_sample_count == NULL
|| p_box->data.p_ctts->pi_sample_offset == NULL) )
MP4_READBOX_EXIT( 0 );
}
p_box->data.p_ctts->i_entry_count = count;
uint32_t i = 0;
for( ; (i < p_box->data.p_ctts->i_entry_count )&&( i_read >=8 ); i++ )
for( uint32_t i = 0; i < count; i++ )
{
MP4_GET4BYTES( p_box->data.p_ctts->pi_sample_count[i] );
MP4_GET4BYTES( p_box->data.p_ctts->pi_sample_offset[i] );
}
if ( i < p_box->data.p_ctts->i_entry_count )
p_box->data.p_ctts->i_entry_count = i;
#ifdef MP4_VERBOSE
msg_Dbg( p_stream, "read box: \"ctts\" entry-count %d",
p_box->data.p_ctts->i_entry_count );
msg_Dbg( p_stream, "read box: \"ctts\" entry-count %"PRIu32, count );
#endif
MP4_READBOX_EXIT( 1 );
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment