Skip to content
Permalink
Browse files Browse the repository at this point in the history
fix heap-buffer-overflow in mp4read.c
This originated from an integer overflow: If mp4config.frame.ents
would be read-in with a value of (uint32t)(-1), it would overflow to 0
in the size calculation for the allocation in the next line. The
malloc() function would then successfully return a pointer to a memory
region of size 0, which will cause a segfault when written to.

Fixes #57.
  • Loading branch information
fabiangreffrath committed Aug 31, 2020
1 parent 1073aee commit 1b71a6b
Showing 1 changed file with 4 additions and 1 deletion.
5 changes: 4 additions & 1 deletion frontend/mp4read.c
Expand Up @@ -344,7 +344,10 @@ static int stszin(int size)
u32in();
// Number of entries
mp4config.frame.ents = u32in();
// fixme: check atom size

if (!(mp4config.frame.ents + 1))
return ERR_FAIL;

mp4config.frame.data = malloc(sizeof(*mp4config.frame.data)
* (mp4config.frame.ents + 1));

Expand Down

0 comments on commit 1b71a6b

Please sign in to comment.