shithub: aacdec

Download patch

ref: cfb21cfbafc8cabe978f938d75ea8b0ce6c4295c
parent: 8e846b64725b1462f66e419159fca9a74d2026d6
author: knik <knik@users.sourceforge.net>
date: Mon Jul 10 11:50:07 EDT 2017 

multiple vulnerabilities fixed (Fabian Greffrath)


--- a/common/mp4ff/mp4atom.c
+++ b/common/mp4ff/mp4atom.c
@@ -650,6 +650,10 @@
 int32_t mp4ff_atom_read(mp4ff_t *f, const int32_t size, const uint8_t atom_type)
 {
     uint64_t dest_position = mp4ff_position(f)+size-8;
+    if (f->total_tracks == 0)
+    {
+        return -1;
+    }
     if (atom_type == ATOM_STSZ)
     {
         /* sample size box */
--- a/common/mp4ff/mp4ff.c
+++ b/common/mp4ff/mp4ff.c
@@ -40,7 +40,11 @@
 
     ff->stream = f;
 
-    parse_atoms(ff,0);
+    if (parse_atoms(ff,0) < 0)
+    {
+        free(ff);
+        ff = NULL;
+    }
 
     return ff;
 }
@@ -53,7 +57,11 @@
 
     ff->stream = f;
 
-    parse_atoms(ff,1);
+    if (parse_atoms(ff,1) < 0)
+    {
+        free(ff);
+        ff = NULL;
+    }
 
     return ff;
 }
@@ -101,13 +109,21 @@
     if (ff) free(ff);
 }
 
-void mp4ff_track_add(mp4ff_t *f)
+static int32_t mp4ff_track_add(mp4ff_t *f)
 {
     f->total_tracks++;
 
+    if (f->total_tracks > MAX_TRACKS)
+    {
+        f->total_tracks = 0;
+        return -1;
+    }
+
     f->track[f->total_tracks - 1] = malloc(sizeof(mp4ff_track_t));
 
     memset(f->track[f->total_tracks - 1], 0, sizeof(mp4ff_track_t));
+
+    return 0;
 }
 
 static int need_parse_when_meta_only(uint8_t atom_type)
@@ -159,7 +175,8 @@
          */
         if (atom_type == ATOM_TRAK)
         {
-            mp4ff_track_add(f);
+            if (mp4ff_track_add(f) < 0)
+                return -1;
         }
 
         /* parse subatoms */
@@ -168,9 +185,11 @@
 			mp4ff_set_position(f, mp4ff_position(f)+size-header_size);
 		} else if (atom_type < SUBATOMIC)
         {
-            parse_sub_atoms(f, size-header_size,meta_only);
+            if (parse_sub_atoms(f, size-header_size,meta_only) < 0)
+                return -1;
         } else {
-            mp4ff_atom_read(f, (uint32_t)size, atom_type);
+            if (mp4ff_atom_read(f, (uint32_t)size, atom_type) < 0)
+                return -1;
         }
     }
 
@@ -211,7 +230,8 @@
 			mp4ff_set_position(f, mp4ff_position(f)+size-header_size);
 		} else if (atom_type < SUBATOMIC)
         {
-            parse_sub_atoms(f, size-header_size,meta_only);
+            if (parse_sub_atoms(f, size-header_size,meta_only) < 0)
+                return -1;
         } else {
             /* skip this atom */
             mp4ff_set_position(f, mp4ff_position(f)+size-header_size);