Set MP4Array size only after successful alloc.

enzo1982 · enzo1982 · commit 35c20e02eabe · 2022-02-11T21:08:22.000+01:00
m_numElements was set before checking newSize and trying MP4Realloc. In case the size check or MP4Realloc threw an exception, deallocators would iterate over the never allocated new number of elements and attempt calling delete on them. Also check size of ftyp atom to avoid the uint32_t underflow that caused the bad alloc request. Addresses: https://nvd.nist.gov/vuln/detail/CVE-2018-17236
diff --git a/src/atom_ftyp.cpp b/src/atom_ftyp.cpp
@@ -53,6 +53,9 @@ void MP4FtypAtom::Generate()
 
 void MP4FtypAtom::Read()
 {
+    if ( m_size < 8 )
+        throw new EXCEPTION("Invalid ftyp atom size");
+
     compatibleBrands.SetCount( (m_size - 8) / 4 ); // brands array fills rest of atom
     MP4Atom::Read();
 }
diff --git a/src/mp4array.h b/src/mp4array.h
@@ -77,9 +77,10 @@ class MP4Array {
                   throw new PLATFORM_EXCEPTION("illegal array index", ERANGE); \
             } \
             if (m_numElements == m_maxNumElements) { \
-                m_maxNumElements = max(m_maxNumElements, (MP4ArrayIndex)1) * 2; \
+                MP4ArrayIndex newSize = max(m_maxNumElements, (MP4ArrayIndex)1) * 2; \
                 m_elements = (type*)MP4Realloc(m_elements, \
-                    m_maxNumElements * sizeof(type)); \
+                    newSize * sizeof(type)); \
+                m_maxNumElements = newSize; \
             } \
             memmove(&m_elements[newIndex + 1], &m_elements[newIndex], \
                 (m_numElements - newIndex) * sizeof(type)); \
@@ -100,12 +101,12 @@ class MP4Array {
             } \
         } \
         void Resize(MP4ArrayIndex newSize) { \
+            if ( (uint64_t) newSize * sizeof(type) > 0xFFFFFFFF ) \
+                throw new PLATFORM_EXCEPTION("requested array size exceeds 4GB", ERANGE); /* prevent overflow */ \
+            m_elements = (type*)MP4Realloc(m_elements, \
+                newSize * sizeof(type)); \
             m_numElements = newSize; \
             m_maxNumElements = newSize; \
-            if ( (uint64_t) m_maxNumElements * sizeof(type) > 0xFFFFFFFF ) \
-               throw new PLATFORM_EXCEPTION("requested array size exceeds 4GB", ERANGE); /* prevent overflow */ \
-            m_elements = (type*)MP4Realloc(m_elements, \
-                m_maxNumElements * sizeof(type)); \
         } \
         \
         type& operator[](MP4ArrayIndex index) { \

Original file line number	Diff line number	Diff line change
`@@ -53,6 +53,9 @@ void MP4FtypAtom::Generate()`
`53`	`53`
`54`	`54`	`void MP4FtypAtom::Read()`
`55`	`55`	`{`
	`56`	`+ if ( m_size < 8 )`
	`57`	`+ throw new EXCEPTION("Invalid ftyp atom size");`
	`58`	`+`
`56`	`59`	`compatibleBrands.SetCount( (m_size - 8) / 4 ); // brands array fills rest of atom`
`57`	`60`	`MP4Atom::Read();`
`58`	`61`	`}`