aboutsummaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
authorTerry <wangtielei@icst.pku.edu.cn>2008-09-12 17:06:04 +0200
committerMax Kellermann <max@duempel.org>2008-09-12 17:06:04 +0200
commit79a14c9a10a6356fa9158e62f206c63833dcc632 (patch)
tree1b67fd9afa938c614d68ab49e8da77daaeb809f6 /src
parent89c8b19a8c4a21e8ce578bd92120581f640fc2af (diff)
downloadmpd-79a14c9a10a6356fa9158e62f206c63833dcc632.tar.gz
mpd-79a14c9a10a6356fa9158e62f206c63833dcc632.tar.xz
mpd-79a14c9a10a6356fa9158e62f206c63833dcc632.zip
mp4: fix potential integer overflow bug in the mp4_decode() function
A crafted mp4 file could cause an integer overflow in mp4_decode function in src/inputPlugins/mp4_plugin.c. mp4ff_num_samples() function returns some tainted value. sizeof(float) * numSamples is an integer overflow operation if numSamples is too huge, so xmalloc will allocate a small memory region. I constructe a mp4 file, and use faad2 to open the file. mp4ff_num_samples() returns -1. So I think mpd bears from the same problem.
Diffstat (limited to '')
-rw-r--r--src/inputPlugins/mp4_plugin.c7
1 files changed, 7 insertions, 0 deletions
diff --git a/src/inputPlugins/mp4_plugin.c b/src/inputPlugins/mp4_plugin.c
index 1bf46efa0..42e205997 100644
--- a/src/inputPlugins/mp4_plugin.c
+++ b/src/inputPlugins/mp4_plugin.c
@@ -174,6 +174,13 @@ static int mp4_decode(struct decoder * mpd_decoder, InputStream * inStream)
total_time = ((float)file_time) / scale;
numSamples = mp4ff_num_samples(mp4fh, track);
+ if (numSamples > (long)(INT_MAX / sizeof(float))) {
+ ERROR("Integer overflow.\n");
+ faacDecClose(decoder);
+ mp4ff_close(mp4fh);
+ free(mp4cb);
+ return -1;
+ }
file_time = 0.0;