ISOM_DECREASE_SIZE(ptr, 4)
- if (ptr->nb_entries > ptr->size / 8) {
+ if ((u64)ptr->nb_entries > ptr->size / 8 || (u64)ptr->nb_entries > (u64)SIZE_MAX/sizeof(u64)) {
GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("[iso file] Invalid number of entries %d in co64\n", ptr->nb_entries));
return GF_ISOM_INVALID_FILE;
}
ISOM_DECREASE_SIZE(ptr, 4);
ptr->nb_entries = gf_bs_read_u32(bs);
- if (ptr->nb_entries > ptr->size / 8) {
+ if (ptr->nb_entries > ptr->size / 8 || (u64)ptr->nb_entries > (u64)SIZE_MAX/sizeof(GF_DttsEntry) ) {
GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("[iso file] Invalid number of entries %d in ctts\n", ptr->nb_entries));
return GF_ISOM_INVALID_FILE;
}
}
if (ptr->nb_entries) {
+ if ((u64)ptr->nb_entries > (u64)SIZE_MAX/sizeof(GF_RandomAccessEntry)) {
+ GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("[iso file] Invalid number of entries %d in traf\n", ptr->nb_entries));
+ return GF_ISOM_INVALID_FILE;
+ }
p = (GF_RandomAccessEntry *) gf_malloc(sizeof(GF_RandomAccessEntry) * ptr->nb_entries);
if (!p) return GF_OUT_OF_MEM;
}
ISOM_DECREASE_SIZE(ptr, 4);
ptr->nb_entries = gf_bs_read_u32(bs);
- if (ptr->nb_entries > ptr->size / 4) {
+ if (ptr->nb_entries > ptr->size / 4 || (u64)ptr->nb_entries > (u64)SIZE_MAX/sizeof(u32)) {
GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("[iso file] Invalid number of entries %d in stco\n", ptr->nb_entries));
return GF_ISOM_INVALID_FILE;
}
ISOM_DECREASE_SIZE(ptr, 4);
ptr->nb_entries = gf_bs_read_u32(bs);
- if (ptr->nb_entries > ptr->size / 12) {
+ if (ptr->nb_entries > ptr->size / 12 || (u64)ptr->nb_entries > (u64)SIZE_MAX/sizeof(GF_StscEntry)) {
GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("[iso file] Invalid number of entries %d in stsc\n", ptr->nb_entries));
return GF_ISOM_INVALID_FILE;
}
}
}
}
+ if (ptr->sampleCount && (u64)ptr->sampleCount > (u64)SIZE_MAX/sizeof(u32)) {
+ GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("[iso file] Invalid number of entries %d in stsz\n", ptr->sampleCount));
+ return GF_ISOM_INVALID_FILE;
+ }
if (s->type == GF_ISOM_BOX_TYPE_STSZ) {
if (! ptr->sampleSize && ptr->sampleCount) {
if (ptr->sampleCount > ptr->size / 4) {
ISOM_DECREASE_SIZE(ptr, 4);
ptr->nb_entries = gf_bs_read_u32(bs);
- if (ptr->size < ptr->nb_entries * 8) {
+ if (ptr->size / 8 < ptr->nb_entries || (u64)ptr->nb_entries > (u64)SIZE_MAX/sizeof(GF_SttsEntry)) {
GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("[iso file] Invalid number of entries %d in stts\n", ptr->nb_entries));
return GF_ISOM_INVALID_FILE;
}
if (ptr->sample_count * 4 > ptr->size) {
ISOM_DECREASE_SIZE(ptr, ptr->sample_count*4);
}
+ if ((u64)ptr->sample_count > (u64)SIZE_MAX/sizeof(GF_TrunEntry)) {
+ GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("[iso file] Invalid number of samples %d in trun\n", ptr->sample_count));
+ return GF_ISOM_INVALID_FILE;
+ }
ptr->samples = gf_malloc(sizeof(GF_TrunEntry) * ptr->sample_count);
if (!ptr->samples) return GF_OUT_OF_MEM;
ptr->sample_alloc = ptr->nb_samples = ptr->sample_count;
ISOM_DECREASE_SIZE(ptr, 4)
ptr->subsegment_count = gf_bs_read_u32(bs);
//each subseg has at least one range_count (4 bytes), abort if not enough bytes (broken box)
- if (ptr->size < ptr->subsegment_count*4)
+ if (ptr->size / 4 < ptr->subsegment_count || (u64)ptr->subsegment_count > (u64)SIZE_MAX/sizeof(GF_SubsegmentInfo))
return GF_ISOM_INVALID_FILE;
GF_SAFE_ALLOC_N(ptr->subsegments, ptr->subsegment_count, GF_SubsegmentInfo);
ISOM_DECREASE_SIZE(ptr, 4)
subseg->range_count = gf_bs_read_u32(bs);
//each range is 4 bytes, abort if not enough bytes
- if (ptr->size < subseg->range_count*4)
+ if (ptr->size / 4 < subseg->range_count || (u64)subseg->range_count > (u64)SIZE_MAX/sizeof(GF_SubsegmentRangeInfo))
return GF_ISOM_INVALID_FILE;
subseg->ranges = (GF_SubsegmentRangeInfo*) gf_malloc(sizeof(GF_SubsegmentRangeInfo) * subseg->range_count);
if (!subseg->ranges) return GF_OUT_OF_MEM;
ISOM_DECREASE_SIZE(ptr, 4);
ptr->subsegment_count = gf_bs_read_u32(bs);
+ if ((u64)ptr->subsegment_count > ptr->size / 8 || (u64)ptr->subsegment_count > (u64)SIZE_MAX/sizeof(u64)) {
+ GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("[iso file] Invalid number of subsegment %d in pcrb\n", ptr->subsegment_count));
+ return GF_ISOM_INVALID_FILE;
+ }
+
ptr->pcr_values = gf_malloc(sizeof(u64)*ptr->subsegment_count);
if (!ptr->pcr_values) return GF_OUT_OF_MEM;
for (i=0; i<ptr->subsegment_count; i++) {
}
ptr->entry_count = gf_bs_read_u32(bs);
- if (ptr->size < sizeof(GF_SampleGroupEntry)*ptr->entry_count)
+ if (ptr->size < sizeof(GF_SampleGroupEntry)*ptr->entry_count || (u64)ptr->entry_count > (u64)SIZE_MAX/sizeof(GF_SampleGroupEntry))
return GF_ISOM_INVALID_FILE;
ptr->sample_entries = gf_malloc(sizeof(GF_SampleGroupEntry)*ptr->entry_count);
if (ptr->entry_count) {
u32 i;
- if (ptr->size < (ptr->version == 0 ? 4 : 8) * ptr->entry_count)
+ if (ptr->size / (ptr->version == 0 ? 4 : 8) < ptr->entry_count || (u64)ptr->entry_count > (u64)SIZE_MAX/sizeof(u64))
return GF_ISOM_INVALID_FILE;
ptr->offsets = gf_malloc(sizeof(u64)*ptr->entry_count);
if (!ptr->offsets)
ISOM_DECREASE_SIZE(ptr, (ptr->version ? 4 : 2) );
ptr->nb_entries = gf_bs_read_int(bs, ptr->version ? 32 : 16);
- if (ptr->nb_entries > UINT_MAX / 6)
+ if (ptr->nb_entries > ptr->size / 6 || (u64)ptr->nb_entries > (u64)SIZE_MAX/sizeof(FilePartitionEntry))
return GF_ISOM_INVALID_FILE;
ISOM_DECREASE_SIZE(ptr, ptr->nb_entries * 6 );
ISOM_DECREASE_SIZE(ptr, (ptr->version ? 4 : 2) );
ptr->nb_entries = gf_bs_read_int(bs, ptr->version ? 32 : 16);
+ if (ptr->nb_entries > ptr->size / (ptr->version ? 8 : 6) || (u64)ptr->nb_entries > (u64)SIZE_MAX/sizeof(FECReservoirEntry) ) {
+ GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("[iso file] Invalid number of entries %d in fecr\n", ptr->nb_entries));
+ return GF_ISOM_INVALID_FILE;
+ }
+
ISOM_DECREASE_SIZE(ptr, ptr->nb_entries * (ptr->version ? 8 : 6) );
GF_SAFE_ALLOC_N(ptr->entries, ptr->nb_entries, FECReservoirEntry);
if (!ptr->entries) return GF_OUT_OF_MEM;
projects / gpac.git / commitdiff