Ticket #1503 (closed defect: fixed)

Opened 2 months ago

Last modified 2 weeks ago

null deref in libmp4.c: MP4_ReadBox_stsz

Reported by: drew Assigned to:
Priority: normal Milestone:
Component: Demuxers Version:
Severity: normal Keywords:
Cc: Platform(s): all
Difficulty: easy Work status: Not started

Description 

static int MP4_ReadBox_stsz( stream_t *p_stream, MP4_Box_t *p_box )
{
    unsigned int i;

    MP4_READBOX_ENTER( MP4_Box_data_stsz_t );

    MP4_GETVERSIONFLAGS( p_box->data.p_stsz );

    MP4_GET4BYTES( p_box->data.p_stsz->i_sample_size );

    MP4_GET4BYTES( p_box->data.p_stsz->i_sample_count );

    p_box->data.p_stsz->i_entry_size =
        calloc( p_box->data.p_stsz->i_sample_count, sizeof(uint32_t) );

    if( !p_box->data.p_stsz->i_sample_size )
    {
        for( i=0; (i<p_box->data.p_stsz->i_sample_count)&&(i_read >= 4 ); i++ )
        {
            MP4_GET4BYTES( p_box->data.p_stsz->i_entry_size[i] );

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_PROTECTION_FAILURE at address: 0x00000000
[Switching to process 587 thread 0x6403]
0x027f080b in MP4_ReadBox_stsz (p_stream=0x4a6198, p_box=0x4a74d0) at libmp4.c:1460
1460	            MP4_GET4BYTES( p_box->data.p_stsz->i_entry_size[i] );

Solution: check calloc return values. Note: for Mac OS X, in debug builds to see the null deref you need to make sure that the MallocErrorAbort?? environment variable doesn't get set. I did that by just hex-editing the VLC executable and changing MallocErrorAbort?? to MallocErrorAborA.

Attachments

00004062.mov (195.3 kB) - added by drew on 03/08/08 09:51:57.
test case

Change History

03/08/08 09:51:57 changed by drew

  • attachment 00004062.mov added.

test case

04/30/08 19:07:41 changed by courmisch

  • status changed from new to closed.
  • resolution set to fixed.