aboutsummaryrefslogtreecommitdiffstats
path: root/bs/README
diff options
context:
space:
mode:
authorTerry <wangtielei@icst.pku.edu.cn>2008-09-12 17:06:04 +0200
committerEric Wong <normalperson@yhbt.net>2008-09-12 21:41:38 -0700
commita7b17bf7f5e423c39d3c6af45cb73b9cce93f1a3 (patch)
tree6bdeb3c35fbf01533aa6b9a5c5a6d2d1282c186d /bs/README
parent12d4956528b7abd34aa5d827a2f088f6eb45df98 (diff)
downloadmpd-a7b17bf7f5e423c39d3c6af45cb73b9cce93f1a3.tar.gz
mpd-a7b17bf7f5e423c39d3c6af45cb73b9cce93f1a3.tar.xz
mpd-a7b17bf7f5e423c39d3c6af45cb73b9cce93f1a3.zip
mp4: fix potential integer overflow bug in the mp4_decode() function
A crafted mp4 file could cause an integer overflow in mp4_decode function in src/inputPlugins/mp4_plugin.c. mp4ff_num_samples() function returns some tainted value. sizeof(float) * numSamples is an integer overflow operation if numSamples is too huge, so xmalloc will allocate a small memory region. I constructe a mp4 file, and use faad2 to open the file. mp4ff_num_samples() returns -1. So I think mpd bears from the same problem.
Diffstat (limited to '')
0 files changed, 0 insertions, 0 deletions