Skip to content

Commit bceb03f

Browse files
committed
fixed 2 possible heap overflows (inc. #1088)
1 parent 2ce4dcf commit bceb03f

File tree

3 files changed

+9
-9
lines changed

3 files changed

+9
-9
lines changed

Diff for: include/gpac/internal/isomedia_dev.h

+1-1
Original file line numberDiff line numberDiff line change
@@ -3710,7 +3710,7 @@ GF_GenericSubtitleSample *gf_isom_parse_generic_subtitle_sample_from_data(char *
37103710
char __ptype[5];\
37113711
strcpy(__ptype, gf_4cc_to_str(__parent->type) );\
37123712
GF_LOG(GF_LOG_WARNING, GF_LOG_CONTAINER, ("[iso file] extra box %s found in %s, deleting\n", gf_4cc_to_str(__abox->type), __ptype)); \
3713-
gf_isom_box_del(a);\
3713+
gf_isom_box_del(__abox);\
37143714
return GF_OK;\
37153715
}
37163716

Diff for: src/isomedia/box_code_base.c

+1-1
Original file line numberDiff line numberDiff line change
@@ -632,7 +632,7 @@ GF_Err urn_Read(GF_Box *s, GF_BitStream *bs)
632632

633633
//then get the break
634634
i = 0;
635-
while ( (tmpName[i] != 0) && (i < to_read) ) {
635+
while ( (i < to_read) && (tmpName[i] != 0) ) {
636636
i++;
637637
}
638638
//check the data is consistent

Diff for: src/isomedia/box_dump.c

+7-7
Original file line numberDiff line numberDiff line change
@@ -484,7 +484,7 @@ GF_Err hdlr_dump(GF_Box *a, FILE * trace)
484484
{
485485
GF_HandlerBox *p = (GF_HandlerBox *)a;
486486
gf_isom_box_dump_start(a, "HandlerBox", trace);
487-
if (p->nameUTF8 && (u32) p->nameUTF8[0] == strlen(p->nameUTF8+1)) {
487+
if (p->nameUTF8 && (u32) p->nameUTF8[0] == strlen(p->nameUTF8)-1) {
488488
fprintf(trace, "hdlrType=\"%s\" Name=\"%s\" ", gf_4cc_to_str(p->handlerType), p->nameUTF8+1);
489489
} else {
490490
fprintf(trace, "hdlrType=\"%s\" Name=\"%s\" ", gf_4cc_to_str(p->handlerType), p->nameUTF8);
@@ -4157,9 +4157,9 @@ static void oinf_entry_dump(GF_OperatingPointsInformation *ptr, FILE * trace)
41574157
fprintf(trace, " maxPicWidth=\"%u\" maxPicHeight=\"%u\"", op->maxPicWidth, op->maxPicHeight);
41584158
fprintf(trace, " maxChromaFormat=\"%u\" maxBitDepth=\"%u\"", op->maxChromaFormat, op->maxBitDepth);
41594159
fprintf(trace, " frame_rate_info_flag=\"%u\" bit_rate_info_flag=\"%u\"", op->frame_rate_info_flag, op->bit_rate_info_flag);
4160-
if (op->frame_rate_info_flag)
4160+
if (op->frame_rate_info_flag)
41614161
fprintf(trace, " avgFrameRate=\"%u\" constantFrameRate=\"%u\"", op->avgFrameRate, op->constantFrameRate);
4162-
if (op->bit_rate_info_flag)
4162+
if (op->bit_rate_info_flag)
41634163
fprintf(trace, " maxBitRate=\"%u\" avgBitRate=\"%u\"", op->maxBitRate, op->avgBitRate);
41644164
fprintf(trace, "/>\n");
41654165
}
@@ -4261,14 +4261,14 @@ static void nalm_dump(FILE * trace, char *data, u32 data_size)
42614261
fprintf(trace, "</NALUMap>\n");
42624262
return;
42634263
}
4264-
4264+
42654265
bs = gf_bs_new(data, data_size, GF_BITSTREAM_READ);
42664266
gf_bs_read_int(bs, 6);
42674267
large_size = gf_bs_read_int(bs, 1);
42684268
rle = gf_bs_read_int(bs, 1);
42694269
entry_count = gf_bs_read_int(bs, large_size ? 16 : 8);
42704270
fprintf(trace, "<NALUMap rle=\"%d\" large_size=\"%d\">\n", rle, large_size);
4271-
4271+
42724272
while (entry_count) {
42734273
u32 ID;
42744274
fprintf(trace, "<NALUMapEntry ");
@@ -4338,7 +4338,7 @@ GF_Err sgpd_dump(GF_Box *a, FILE * trace)
43384338
case GF_ISOM_SAMPLE_GROUP_TRIF:
43394339
trif_dump(trace, (char *) ((GF_DefaultSampleGroupDescriptionEntry*)entry)->data, ((GF_DefaultSampleGroupDescriptionEntry*)entry)->length);
43404340
break;
4341-
4341+
43424342
case GF_ISOM_SAMPLE_GROUP_NALM:
43434343
nalm_dump(trace, (char *) ((GF_DefaultSampleGroupDescriptionEntry*)entry)->data, ((GF_DefaultSampleGroupDescriptionEntry*)entry)->length);
43444344
break;
@@ -4507,7 +4507,7 @@ GF_Err tenc_dump(GF_Box *a, FILE * trace)
45074507
fprintf(trace, "\" KID=\"");
45084508
}
45094509
dump_data_hex(trace, (char *) ptr->KID, 16);
4510-
if (ptr->version)
4510+
if (ptr->version)
45114511
fprintf(trace, "\" crypt_byte_block=\"%d\" skip_byte_block=\"%d", ptr->crypt_byte_block, ptr->skip_byte_block);
45124512
fprintf(trace, "\">\n");
45134513
gf_isom_box_dump_done("TrackEncryptionBox", a, trace);

0 commit comments

Comments
 (0)