From 01c4480fa89c1df95eb181c40e95e566974fc5a1 Mon Sep 17 00:00:00 2001
From: =?utf8?q?R=C3=A9mi=20Denis-Courmont?= <remi@remlab.net>
Date: Fri, 24 Nov 2017 20:01:01 +0200
Subject: [PATCH] mp4: check STSS size before allocation

This avoids allocating stupid amounts of memory.

Note: there is still an infinite loop if count == 0xffffffff
(with a suitably enormous input).
---
 modules/demux/mp4/libmp4.c | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/modules/demux/mp4/libmp4.c b/modules/demux/mp4/libmp4.c
index de973056ca..b6f2ad6eb7 100644
--- a/modules/demux/mp4/libmp4.c
+++ b/modules/demux/mp4/libmp4.c
@@ -3040,27 +3040,27 @@ static void MP4_FreeBox_stss( MP4_Box_t *p_box )
 
 static int MP4_ReadBox_stss( stream_t *p_stream, MP4_Box_t *p_box )
 {
+    uint32_t count;
+
     MP4_READBOX_ENTER( MP4_Box_data_stss_t, MP4_FreeBox_stss );
 
     MP4_GETVERSIONFLAGS( p_box->data.p_stss );
+    MP4_GET4BYTES( count );
 
-    MP4_GET4BYTES( p_box->data.p_stss->i_entry_count );
+    if( UINT64_C(4) * count > i_read )
+        MP4_READBOX_EXIT( 0 );
 
-    p_box->data.p_stss->i_sample_number =
-        calloc( p_box->data.p_stss->i_entry_count, sizeof(uint32_t) );
+    p_box->data.p_stss->i_sample_number = vlc_alloc( count, sizeof(uint32_t) );
     if( unlikely( p_box->data.p_stss->i_sample_number == NULL ) )
         MP4_READBOX_EXIT( 0 );
+    p_box->data.p_stss->i_entry_count = count;
 
-    unsigned int i;
-    for( i = 0; (i < p_box->data.p_stss->i_entry_count )&&( i_read >= 4 ); i++ )
+    for( uint32_t i = 0; i < count; i++ )
     {
-
         MP4_GET4BYTES( p_box->data.p_stss->i_sample_number[i] );
         /* XXX in libmp4 sample begin at 0 */
         p_box->data.p_stss->i_sample_number[i]--;
     }
-    if ( i < p_box->data.p_stss->i_entry_count )
-        p_box->data.p_stss->i_entry_count = i;
 
 #ifdef MP4_VERBOSE
     msg_Dbg( p_stream, "read box: \"stss\" entry-count %d",
-- 
2.11.4.GIT