mp4: fix potential integer overflow bug in the mp4_decode() function

A crafted mp4 file could cause an integer overflow in mp4_decode function in src/inputPlugins/mp4_plugin.c. mp4ff_num_samples() function returns some tainted value. sizeof(float) * numSamples is an integer overflow operation if numSamples is too huge, so xmalloc will allocate a small memory region. I constructe a mp4 file, and use faad2 to open the file. mp4ff_num_samples() returns -1. So I think mpd bears from the same problem.
author: Terry <wangtielei@icst.pku.edu.cn> 2008-09-12 17:06:04 +0200
committer: Eric Wong <normalperson@yhbt.net> 2008-09-12 21:41:38 -0700
commit: a7b17bf7f5e423c39d3c6af45cb73b9cce93f1a3 (patch)
tree: 6bdeb3c35fbf01533aa6b9a5c5a6d2d1282c186d /src
parent: 12d4956528b7abd34aa5d827a2f088f6eb45df98 (diff)
download: mpd-a7b17bf7f5e423c39d3c6af45cb73b9cce93f1a3.tar.gz
mpd-a7b17bf7f5e423c39d3c6af45cb73b9cce93f1a3.tar.xz
mpd-a7b17bf7f5e423c39d3c6af45cb73b9cce93f1a3.zip
1 files changed, 7 insertions, 0 deletions
diff --git a/src/inputPlugins/mp4_plugin.c b/src/inputPlugins/mp4_plugin.c
index cc2b89efc..1e65f6667 100644
--- a/src/inputPlugins/mp4_plugin.c
+++ b/src/inputPlugins/mp4_plugin.c
@@ -171,6 +171,13 @@ static int mp4_decode(InputStream * inStream)
 	dc.total_time = ((float)file_time) / scale;
 
 	numSamples = mp4ff_num_samples(mp4fh, track);
+	if (numSamples > (long)(INT_MAX / sizeof(float))) {
+		 ERROR("Integer overflow.\n");
+		 faacDecClose(decoder);
+		 mp4ff_close(mp4fh);
+		 free(mp4cb);
+		 return -1;
+	}
 
 	file_time = 0.0;
author	Terry <wangtielei@icst.pku.edu.cn>	2008-09-12 17:06:04 +0200
committer	Eric Wong <normalperson@yhbt.net>	2008-09-12 21:41:38 -0700
commit	a7b17bf7f5e423c39d3c6af45cb73b9cce93f1a3 (patch)
tree	6bdeb3c35fbf01533aa6b9a5c5a6d2d1282c186d /src
parent	12d4956528b7abd34aa5d827a2f088f6eb45df98 (diff)
download	mpd-a7b17bf7f5e423c39d3c6af45cb73b9cce93f1a3.tar.gz mpd-a7b17bf7f5e423c39d3c6af45cb73b9cce93f1a3.tar.xz mpd-a7b17bf7f5e423c39d3c6af45cb73b9cce93f1a3.zip