'[Datatype-cvs] mp4/fileformat qtatmmgs.cpp, 1.33.2.41.16.5, 1.33.2.41.16.6'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       helix-datatype-cvs
Subject:    [Datatype-cvs] mp4/fileformat qtatmmgs.cpp, 1.33.2.41.16.5, 1.33.2.41.16.6
From:       songsofwind () helixcommunity ! org
Date:       2013-09-05 18:38:55
[Download RAW message or body]

Update of /cvsroot/datatype/mp4/fileformat
In directory cvs01.internal.helixcommunity.org:/tmp/cvs-serv23839

Modified Files:
      Tag: jupiter
	qtatmmgs.cpp 
Log Message:
[JIRA][RPD-RPD-1227]Security: FG-VD-12-026: mp4 poc file crashes realplayer on build \
8123

Index: qtatmmgs.cpp
===================================================================
RCS file: /cvsroot/datatype/mp4/fileformat/qtatmmgs.cpp,v
retrieving revision 1.33.2.41.16.5
retrieving revision 1.33.2.41.16.6
diff -u -d -r1.33.2.41.16.5 -r1.33.2.41.16.6

--- qtatmmgs.cpp	20 Aug 2013 18:26:48 -0000	1.33.2.41.16.5
+++ qtatmmgs.cpp	5 Sep 2013 18:38:45 -0000	1.33.2.41.16.6
@@ -2181,6 +2181,20 @@
 	    ULONG32 ulSampleDescEntrySize =
 		CQTAtom::GetUL32(pSampleDescEntry->pSize);
 
+		//fix security bug[409612], correct the atom size if it exceed the remain size
+        //remainSize = trank box totalSize - (sample desc offset - trank offset)
+        CQT_stsd_Atom* pSampleDescAtom = \
pSampleDescManager->GetSampleDescriptionAtom(); +        if (pSampleDescAtom)
+        {
+            ULONG32 sampleDesOffset = pSampleDescAtom->GetOffset() + \
pSampleDescManager->GetSampleDescBufferOffset() + 8; +            ULONG32 \
atomRemainSize  = pAtom->GetSize() - (sampleDesOffset - pAtom->GetOffset()); +        \
if (ulSampleDescEntrySize > atomRemainSize) +            {
+                HX_ASSERT(FALSE);//invalid file
+                ulSampleDescEntrySize = atomRemainSize;
+            }
+        }
+
 	    if (pTrackManager->GetFType() == QT_FTYPE_MP4)
 	    {
 		switch (pSampleDescManager->GetDataFormat())


_______________________________________________
Datatype-cvs mailing list
Datatype-cvs@helixcommunity.org
http://lists.helixcommunity.org/mailman/listinfo/datatype-cvs


[prev in list] [next in list] [prev in thread] [next in thread] 
