From f9a0ec5b782240b599f1b189c56880a667722286 Mon Sep 17 00:00:00 2001
From: Thulinma <jaron@vietors.com>
Date: Sat, 1 Jul 2017 12:34:54 +0200
Subject: [PATCH] Fixed overflow problems when reading corrupt AVCC box

---
 lib/mp4_generic.cpp | 18 ++++++++++++++++--
 1 file changed, 16 insertions(+), 2 deletions(-)

diff --git a/lib/mp4_generic.cpp b/lib/mp4_generic.cpp
index 8b3d3f14..c08b5e70 100644
--- a/lib/mp4_generic.cpp
+++ b/lib/mp4_generic.cpp
@@ -574,7 +574,12 @@ namespace MP4 {
   }
 
   uint32_t AVCC::getSPSLen() {
-    return getInt16(6);
+    uint16_t len = getInt16(6);
+    if (len > payloadSize() - 8){
+      WARN_MSG("SPS length of %u is more than AVCC box size %lu", len, payloadSize());
+      return 0;
+    }
+    return len;
   }
 
   char * AVCC::getSPS() {
@@ -621,7 +626,16 @@ namespace MP4 {
 
   uint32_t AVCC::getPPSLen() {
     int offset = 8 + getSPSLen() + 1;
-    return getInt16(offset);
+    if (offset > payloadSize() - 2){
+      WARN_MSG("Invalid PPS length offset! Aborting PPS read.");
+      return 0;
+    }
+    uint16_t len = getInt16(offset);
+    if (len > payloadSize() - offset - 2){
+      WARN_MSG("PPS length of %u is more than AVCC box size %lu", len, payloadSize());
+      return 0;
+    }
+    return len;
   }
 
   char * AVCC::getPPS() {