From 79a14c9a10a6356fa9158e62f206c63833dcc632 Mon Sep 17 00:00:00 2001 From: Terry Date: Fri, 12 Sep 2008 17:06:04 +0200 Subject: mp4: fix potential integer overflow bug in the mp4_decode() function A crafted mp4 file could cause an integer overflow in mp4_decode function in src/inputPlugins/mp4_plugin.c. mp4ff_num_samples() function returns some tainted value. sizeof(float) * numSamples is an integer overflow operation if numSamples is too huge, so xmalloc will allocate a small memory region. I constructe a mp4 file, and use faad2 to open the file. mp4ff_num_samples() returns -1. So I think mpd bears from the same problem. --- src/inputPlugins/mp4_plugin.c | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'src') diff --git a/src/inputPlugins/mp4_plugin.c b/src/inputPlugins/mp4_plugin.c index 1bf46efa0..42e205997 100644 --- a/src/inputPlugins/mp4_plugin.c +++ b/src/inputPlugins/mp4_plugin.c @@ -174,6 +174,13 @@ static int mp4_decode(struct decoder * mpd_decoder, InputStream * inStream) total_time = ((float)file_time) / scale; numSamples = mp4ff_num_samples(mp4fh, track); + if (numSamples > (long)(INT_MAX / sizeof(float))) { + ERROR("Integer overflow.\n"); + faacDecClose(decoder); + mp4ff_close(mp4fh); + free(mp4cb); + return -1; + } file_time = 0.0; -- cgit v1.2.3