Skip to content

Commit 1b71a6b

Browse files
fix heap-buffer-overflow in mp4read.c
This originated from an integer overflow: If mp4config.frame.ents would be read-in with a value of (uint32t)(-1), it would overflow to 0 in the size calculation for the allocation in the next line. The malloc() function would then successfully return a pointer to a memory region of size 0, which will cause a segfault when written to. Fixes #57.
1 parent 1073aee commit 1b71a6b

File tree

1 file changed

+4
-1
lines changed

1 file changed

+4
-1
lines changed

Diff for: frontend/mp4read.c

+4-1
Original file line numberDiff line numberDiff line change
@@ -344,7 +344,10 @@ static int stszin(int size)
344344
u32in();
345345
// Number of entries
346346
mp4config.frame.ents = u32in();
347-
// fixme: check atom size
347+
348+
if (!(mp4config.frame.ents + 1))
349+
return ERR_FAIL;
350+
348351
mp4config.frame.data = malloc(sizeof(*mp4config.frame.data)
349352
* (mp4config.frame.ents + 1));
350353

0 commit comments

Comments
 (0)