Commit 1b71a6ba963d131375f5e489b3b25e36f19f3f24 - faad2

fix heap-buffer-overflow in mp4read.c This originated from an integer overflow: If mp4config.frame.ents would be read-in with a value of (uint32t)(-1), it would overflow to 0 in the size calculation for the allocation in the next line. The malloc() function would then successfully return a pointer to a memory region of size 0, which will cause a segfault when written to. Fixes #57. Fabian Greffrath 3 years ago

1 changed file(s) with 4 addition(s) and 1 deletion(s). Raw diff Collapse all Expand all

-1

frontend/mp4read.c less more

343	343	u32in();
344	344	// Number of entries
345	345	mp4config.frame.ents = u32in();
346		// fixme: check atom size
	346
	347	if (!(mp4config.frame.ents + 1))
	348	return ERR_FAIL;
	349
347	350	mp4config.frame.data = malloc(sizeof(*mp4config.frame.data)
348	351	* (mp4config.frame.ents + 1));
349	352