diff options
author | Terry <wangtielei@icst.pku.edu.cn> | 2008-09-12 17:06:04 +0200 |
---|---|---|
committer | Max Kellermann <max@duempel.org> | 2008-09-12 17:06:04 +0200 |
commit | 79a14c9a10a6356fa9158e62f206c63833dcc632 (patch) | |
tree | 1b67fd9afa938c614d68ab49e8da77daaeb809f6 /src/sllist.h | |
parent | 89c8b19a8c4a21e8ce578bd92120581f640fc2af (diff) | |
download | mpd-79a14c9a10a6356fa9158e62f206c63833dcc632.tar.gz mpd-79a14c9a10a6356fa9158e62f206c63833dcc632.tar.xz mpd-79a14c9a10a6356fa9158e62f206c63833dcc632.zip |
mp4: fix potential integer overflow bug in the mp4_decode() function
A crafted mp4 file could cause an integer overflow in mp4_decode
function in src/inputPlugins/mp4_plugin.c. mp4ff_num_samples()
function returns some tainted value. sizeof(float) * numSamples is an
integer overflow operation if numSamples is too huge, so xmalloc will
allocate a small memory region. I constructe a mp4 file, and use
faad2 to open the file. mp4ff_num_samples() returns -1. So I think mpd
bears from the same problem.
Diffstat (limited to 'src/sllist.h')
0 files changed, 0 insertions, 0 deletions