Skip to content

Commit

Permalink
Merge pull request #933 from roticv/master
Browse files Browse the repository at this point in the history
Fix overflow issues found by fuzzer
  • Loading branch information
barbibulle authored Mar 22, 2024
2 parents f13abef + 3ed084f commit 61639cc
Show file tree
Hide file tree
Showing 3 changed files with 7 additions and 2 deletions.
4 changes: 4 additions & 0 deletions Source/C++/Core/Ap4IproAtom.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -62,6 +62,10 @@ AP4_IproAtom::AP4_IproAtom(AP4_UI32 size,
AP4_AtomFactory& atom_factory) :
AP4_ContainerAtom(AP4_ATOM_TYPE_IPRO, size, false, version, flags)
{
if (size < AP4_FULL_ATOM_HEADER_SIZE + 2) {
return;
}

// read the number of entries
AP4_UI16 entry_count;
stream.ReadUI16(entry_count);
Expand Down
3 changes: 2 additions & 1 deletion Source/C++/Core/Ap4Marlin.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -1116,10 +1116,11 @@ AP4_MkidAtom::AP4_MkidAtom(AP4_Size size,
AP4_ByteStream& stream) :
AP4_Atom(AP4_ATOM_TYPE_MKID, size, version, flags)
{
if (size < AP4_FULL_ATOM_HEADER_SIZE+4) return;
AP4_Size available = size-(AP4_FULL_ATOM_HEADER_SIZE+4);
AP4_UI32 entry_count = 0;
stream.ReadUI32(entry_count);
if (available < entry_count*(16+4)) return;
if (available < (AP4_UI64)entry_count*(16+4)) return;
m_Entries.SetItemCount(entry_count);
for (unsigned int i=0; i<entry_count && available >= 16+4; i++) {
AP4_UI32 entry_size;
Expand Down
2 changes: 1 addition & 1 deletion Source/C++/Core/Ap4SaioAtom.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -107,7 +107,7 @@ AP4_SaioAtom::AP4_SaioAtom(AP4_UI32 size,
AP4_Result result = stream.ReadUI32(entry_count);
if (AP4_FAILED(result)) return;
remains -= 4;
if (remains < entry_count*(m_Version==0?4:8)) {
if (remains < (AP4_UI64)entry_count*(m_Version==0?4:8)) {
return;
}
m_Entries.SetItemCount(entry_count);
Expand Down

0 comments on commit 61639cc

Please sign in to comment.