From 79a14c9a10a6356fa9158e62f206c63833dcc632 Mon Sep 17 00:00:00 2001
From: Terry <wangtielei@icst.pku.edu.cn>
Date: Fri, 12 Sep 2008 17:06:04 +0200
Subject: mp4: fix potential integer overflow bug in the mp4_decode() function

A crafted mp4 file could cause an integer overflow in mp4_decode
function in src/inputPlugins/mp4_plugin.c.  mp4ff_num_samples()
function returns some tainted value. sizeof(float) * numSamples is an
integer overflow operation if numSamples is too huge, so xmalloc will
allocate a small memory region.  I constructe a mp4 file, and use
faad2 to open the file. mp4ff_num_samples() returns -1. So I think mpd
bears from the same problem.
---
 src/inputPlugins/mp4_plugin.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/src/inputPlugins/mp4_plugin.c b/src/inputPlugins/mp4_plugin.c
index 1bf46efa0..42e205997 100644
--- a/src/inputPlugins/mp4_plugin.c
+++ b/src/inputPlugins/mp4_plugin.c
@@ -174,6 +174,13 @@ static int mp4_decode(struct decoder * mpd_decoder, InputStream * inStream)
 	total_time = ((float)file_time) / scale;
 
 	numSamples = mp4ff_num_samples(mp4fh, track);
+	if (numSamples > (long)(INT_MAX / sizeof(float))) {
+		 ERROR("Integer overflow.\n");
+		 faacDecClose(decoder);
+		 mp4ff_close(mp4fh);
+		 free(mp4cb);
+		 return -1;
+	}
 
 	file_time = 0.0;
 
-- 
cgit v1.2.3