Fixed overflow problems when reading corrupt AVCC box
This commit is contained in:
		
							parent
							
								
									0eefe5a477
								
							
						
					
					
						commit
						f9a0ec5b78
					
				
					 1 changed files with 16 additions and 2 deletions
				
			
		|  | @ -574,7 +574,12 @@ namespace MP4 { | |||
|   } | ||||
| 
 | ||||
|   uint32_t AVCC::getSPSLen() { | ||||
|     return getInt16(6); | ||||
|     uint16_t len = getInt16(6); | ||||
|     if (len > payloadSize() - 8){ | ||||
|       WARN_MSG("SPS length of %u is more than AVCC box size %lu", len, payloadSize()); | ||||
|       return 0; | ||||
|     } | ||||
|     return len; | ||||
|   } | ||||
| 
 | ||||
|   char * AVCC::getSPS() { | ||||
|  | @ -621,7 +626,16 @@ namespace MP4 { | |||
| 
 | ||||
|   uint32_t AVCC::getPPSLen() { | ||||
|     int offset = 8 + getSPSLen() + 1; | ||||
|     return getInt16(offset); | ||||
|     if (offset > payloadSize() - 2){ | ||||
|       WARN_MSG("Invalid PPS length offset! Aborting PPS read."); | ||||
|       return 0; | ||||
|     } | ||||
|     uint16_t len = getInt16(offset); | ||||
|     if (len > payloadSize() - offset - 2){ | ||||
|       WARN_MSG("PPS length of %u is more than AVCC box size %lu", len, payloadSize()); | ||||
|       return 0; | ||||
|     } | ||||
|     return len; | ||||
|   } | ||||
| 
 | ||||
|   char * AVCC::getPPS() { | ||||
|  |  | |||
		Loading…
	
	Add table
		Add a link
		
	
		Reference in a new issue
	
	 Thulinma
						Thulinma