Potential unsigned int overflow in AP4_ObjectDescriptor

[boringuy]

I got an mp4 file I think has a malformed iods box, here is the box:
"00 00 00 2A size
69 6F 64 73 iods
00 version
00 00 00 flags
10 tag
80 80 80 00 paylaod size = 0
00 4F object descriptor id
FF FF FF 7F FF indication
0E
80 80 80 00
00 00
00 01
0E
80 80 80 00
00 00
00 02"

In the AP4_ObjectDescriptor constructor, it create SubStream like this:
AP4_SubStream* substream = new AP4_SubStream(stream, offset, payload_size-AP4_Size(offset-start));

In this case, pageload_size is 0 and is an unsigned int 32. So, it goes into almost an infinite loop trying to create object descriptor through out the whole file.

I have been googling for the spec that describe the iods box but cannot not find any. The MP4 part 14 spec says it describes it in 8.6.4 but there is no chapter 8 in that document. As you can see in the iods box above, it looks legit and not corrupted but it seems to have excluding some of the bytes from the payload size. I didn't encode this video but it mentioned "L-SMASH Video Handler". Must be a bug.
The video plays fine through mplayer.

[barbibulle]

Can you share the file? I can take a look and add some code logic to defend against this type of probably malformed bitstream.

[boringuy]

Unfortunately, I don't own the video, so I cannot share it. I am about to create a pull request but I am also trying to go through everywhere a SubStream is created and make sure we don't have the same problem.

[boringuy]

In AP4_DescriptorFactory::CreateDescriptorFromStream, after it calculated the payload_size, I just put this check in place, then it continue to parse the file fine:

   if (!payload_size) {
        stream.Seek(offset);
        return AP4_ERROR_INVALID_FORMAT;
    }

[boringuy]

yes, I think that's the only place I see.