Changeset 3a6282755277ba9321d405c635e50da935d258a6
- Timestamp:
- 01/03/08 19:54:56
(9 months ago)
- Author:
- Rémi Denis-Courmont <rem@videolan.org>
- git-committer:
- Rémi Denis-Courmont <rem@videolan.org> 1204397696 +0000
- git-parent:
[44fc4434028945e23a3157aaf2e6ba18babed362]
- git-author:
- Rémi Denis-Courmont <rem@videolan.org> 1204397696 +0000
- Message:
Fix buffer overflow.
-
Files:
-
Legend:
- Unmodified
- Added
- Removed
- Modified
- Copied
- Moved
| r44fc443 |
r3a62827 |
|
| 1664 | 1664 | } |
|---|
| 1665 | 1665 | |
|---|
| | 1666 | static void MP4_FreeBox_padb( MP4_Box_t *p_box ) |
|---|
| | 1667 | { |
|---|
| | 1668 | FREENULL( p_box->data.p_padb->i_reserved1 ); |
|---|
| | 1669 | FREENULL( p_box->data.p_padb->i_pad2 ); |
|---|
| | 1670 | FREENULL( p_box->data.p_padb->i_reserved2 ); |
|---|
| | 1671 | FREENULL( p_box->data.p_padb->i_pad1 ); |
|---|
| | 1672 | } |
|---|
| | 1673 | |
|---|
| 1666 | 1674 | static int MP4_ReadBox_padb( stream_t *p_stream, MP4_Box_t *p_box ) |
|---|
| 1667 | 1675 | { |
|---|
| | 1676 | int code = 0; |
|---|
| 1668 | 1677 | unsigned int i; |
|---|
| | 1678 | uint32_t count; |
|---|
| 1669 | 1679 | |
|---|
| 1670 | 1680 | MP4_READBOX_ENTER( MP4_Box_data_padb_t ); |
|---|
| … | … | |
| 1674 | 1684 | |
|---|
| 1675 | 1685 | MP4_GET4BYTES( p_box->data.p_padb->i_sample_count ); |
|---|
| 1676 | | |
|---|
| 1677 | | p_box->data.p_padb->i_reserved1 = |
|---|
| 1678 | | calloc( ( p_box->data.p_padb->i_sample_count + 1 ) / 2, |
|---|
| 1679 | | sizeof(uint16_t) ); |
|---|
| 1680 | | p_box->data.p_padb->i_pad2 = |
|---|
| 1681 | | calloc( ( p_box->data.p_padb->i_sample_count + 1 ) / 2, |
|---|
| 1682 | | sizeof(uint16_t) ); |
|---|
| 1683 | | p_box->data.p_padb->i_reserved2 = |
|---|
| 1684 | | calloc( ( p_box->data.p_padb->i_sample_count + 1 ) / 2, |
|---|
| 1685 | | sizeof(uint16_t) ); |
|---|
| 1686 | | p_box->data.p_padb->i_pad1 = |
|---|
| 1687 | | calloc( ( p_box->data.p_padb->i_sample_count + 1 ) / 2, |
|---|
| 1688 | | sizeof(uint16_t) ); |
|---|
| 1689 | | |
|---|
| | 1686 | count = p_box->data.p_padb->i_sample_count; |
|---|
| | 1687 | count = (count + 1) / 2; |
|---|
| | 1688 | |
|---|
| | 1689 | p_box->data.p_padb->i_reserved1 = calloc( count, sizeof(uint16_t) ); |
|---|
| | 1690 | p_box->data.p_padb->i_pad2 = calloc( count, sizeof(uint16_t) ); |
|---|
| | 1691 | p_box->data.p_padb->i_reserved2 = calloc( count, sizeof(uint16_t) ); |
|---|
| | 1692 | p_box->data.p_padb->i_pad1 = calloc( count, sizeof(uint16_t) ); |
|---|
| 1690 | 1693 | |
|---|
| 1691 | 1694 | for( i = 0; i < i_read / 2 ; i++ ) |
|---|
| 1692 | 1695 | { |
|---|
| | 1696 | if( i >= count ) |
|---|
| | 1697 | { |
|---|
| | 1698 | MP4_FreeBox_padb( p_box ); |
|---|
| | 1699 | goto error; |
|---|
| | 1700 | } |
|---|
| 1693 | 1701 | p_box->data.p_padb->i_reserved1[i] = ( (*p_peek) >> 7 )&0x01; |
|---|
| 1694 | 1702 | p_box->data.p_padb->i_pad2[i] = ( (*p_peek) >> 4 )&0x07; |
|---|
| … | … | |
| 1704 | 1712 | |
|---|
| 1705 | 1713 | #endif |
|---|
| 1706 | | MP4_READBOX_EXIT( 1 ); |
|---|
| 1707 | | } |
|---|
| 1708 | | |
|---|
| 1709 | | static void MP4_FreeBox_padb( MP4_Box_t *p_box ) |
|---|
| 1710 | | { |
|---|
| 1711 | | FREENULL( p_box->data.p_padb->i_reserved1 ); |
|---|
| 1712 | | FREENULL( p_box->data.p_padb->i_pad2 ); |
|---|
| 1713 | | FREENULL( p_box->data.p_padb->i_reserved2 ); |
|---|
| 1714 | | FREENULL( p_box->data.p_padb->i_pad1 ); |
|---|
| | 1714 | code = 1; |
|---|
| | 1715 | error: |
|---|
| | 1716 | MP4_READBOX_EXIT( code ); |
|---|
| 1715 | 1717 | } |
|---|
| 1716 | 1718 | |
|---|
