diff --git a/mp4v2-Win/include/mp4v2/project.h b/mp4v2-Win/include/mp4v2/project.h index 76bd6f8..4fc3732 100644 --- a/mp4v2-Win/include/mp4v2/project.h +++ b/mp4v2-Win/include/mp4v2/project.h @@ -6,17 +6,17 @@ #define MP4V2_PROJECT_name "MP4v2" #define MP4V2_PROJECT_name_lower "mp4v2" #define MP4V2_PROJECT_name_upper "MP4V2" -#define MP4V2_PROJECT_name_formal "MP4v2 3.0.3.0" +#define MP4V2_PROJECT_name_formal "MP4v2 3.0.4.0" #define MP4V2_PROJECT_url_website "http://code.google.com/p/mp4v2" #define MP4V2_PROJECT_url_downloads "http://code.google.com/p/mp4v2/downloads/list" #define MP4V2_PROJECT_url_discussion "http://groups.google.com/group/mp4v2" #define MP4V2_PROJECT_irc "irc://irc.freenode.net/handbrake" #define MP4V2_PROJECT_bugreport "" -#define MP4V2_PROJECT_version "3.0.3.0" +#define MP4V2_PROJECT_version "3.0.4.0" #define MP4V2_PROJECT_version_hex 0x00020100 #define MP4V2_PROJECT_version_major 3 #define MP4V2_PROJECT_version_minor 0 -#define MP4V2_PROJECT_version_point 3 +#define MP4V2_PROJECT_version_point 4 #define MP4V2_PROJECT_repo_url "https://mp4v2.googlecode.com/svn/trunk" #define MP4V2_PROJECT_repo_root "https://mp4v2.googlecode.com/svn" #define MP4V2_PROJECT_repo_uuid "6e6572fa-98a6-11dd-ad9f-f77439c74b79" diff --git a/mp4v2-Win/mp4v2.autopkg b/mp4v2-Win/mp4v2.autopkg index 71918bd..91b0acf 100644 --- a/mp4v2-Win/mp4v2.autopkg +++ b/mp4v2-Win/mp4v2.autopkg @@ -10,7 +10,7 @@ nuget nuspec { id = mp4v2; - version: 3.0.3.0; + version: 3.0.4.0; title: MP4v2 Library; authors: { TechSmith Corporation }; owners: { TechSmith Corporation }; @@ -27,7 +27,8 @@ nuget 3.0.1.0 Bumping the version number since some new functions were added in the past three commits 3.0.1.1 Sync version number in .autopkg with the one in mp4v2/project.h 3.0.2.0 Picking up Stephen Wagner's updates to handle PNG MOVs - 3.0.3.0 Fixing a bug where version number 3.0.2 was inconsistent in project.h"; + 3.0.3.0 Fixing a bug where version number 3.0.2 was inconsistent in project.h + 3.0.4.0 Security fixes"; copyright: ""; tags: { native, mp4v2, mp4, vs2015 }; }; diff --git a/src/mp4array.h b/src/mp4array.h index c49d59b..69d470a 100644 --- a/src/mp4array.h +++ b/src/mp4array.h @@ -102,6 +102,8 @@ class MP4Array { void Resize(MP4ArrayIndex newSize) { \ m_numElements = newSize; \ m_maxNumElements = newSize; \ + if ( (uint64_t) m_maxNumElements * sizeof(type) > 0xFFFFFFFF ) \ + throw new PlatformException("requested array size exceeds 4GB", ERANGE, __FILE__, __LINE__, __FUNCTION__); /* prevent overflow */ \ m_elements = (type*)MP4Realloc(m_elements, \ m_maxNumElements * sizeof(type)); \ } \ diff --git a/src/mp4atom.cpp b/src/mp4atom.cpp index 2d71f0d..1e4c440 100644 --- a/src/mp4atom.cpp +++ b/src/mp4atom.cpp @@ -143,6 +143,13 @@ MP4Atom* MP4Atom::ReadAtom(MP4File& file, MP4Atom* pParentAtom) dataSize = file.GetSize() - pos; } + // Prevent integer underflow due to incorrect atom size read from file + if ( dataSize < hdrSize ) { + ostringstream oss; + oss << "Invalid atom size in '" << type << "' atom, dataSize = " << dataSize << " cannot be less than hdrSize = " << static_cast( hdrSize ); + log.errorf( "%s: \"%s\": %s", __FUNCTION__, file.GetFilename().c_str(), oss.str().c_str() ); + throw new Exception( oss.str().c_str(), __FILE__, __LINE__, __FUNCTION__ ); + } dataSize -= hdrSize; log.verbose1f("\"%s\": type = \"%s\" data-size = %" PRIu64 " (0x%" PRIx64 ") hdr %u", @@ -778,8 +785,10 @@ MP4Atom::factory( MP4File &file, MP4Atom* parent, const char* type ) const char* const ptype = parent->GetType(); if( descendsFrom( parent, "ilst" )) { - if( ATOMID( ptype ) == ATOMID( "ilst" )) - return new MP4ItemAtom( file, type ); + if( ATOMID( ptype ) == ATOMID( "ilst" )) { + ASSERT( ATOMID( type ) != ATOMID( "ilst" )); // don't allow ilst to be a child of ilst + return new MP4ItemAtom( file, type ); + } if( ATOMID( type ) == ATOMID( "data" )) return new MP4DataAtom(file); diff --git a/src/mp4property.cpp b/src/mp4property.cpp index dc1e2ed..d75f9e1 100644 --- a/src/mp4property.cpp +++ b/src/mp4property.cpp @@ -391,8 +391,10 @@ void MP4StringProperty::Read( MP4File& file, uint32_t index ) char*& value = m_values[i]; // Generally a default atom setting, e.g. see atom_avc1.cpp, "JVT/AVC Coding"; we'll leak this string if - // we don't free. Note that MP4Free checks for null. - MP4Free(value); + // we don't free. Note that this code checks for null before calling free and sets the pointer to null + // after freeing it, to prevent a double free in case an exception occurs before the value is reassigned. + MP4Free( value ); + value = NULL; if( m_useCountedFormat ) { value = file.ReadCountedString( (m_useUnicode ? 2 : 1), m_useExpandedCount, m_fixedLength ); diff --git a/src/mp4util.cpp b/src/mp4util.cpp index 47bd74e..8a915b2 100644 --- a/src/mp4util.cpp +++ b/src/mp4util.cpp @@ -46,6 +46,12 @@ bool MP4NameFirstMatches(const char* s1, const char* s2) s1++; s2++; } + + // Make sure we finished the loop by using up s2, not s1 + if ( *s2 != '[' && *s2 != '.' && *s2 != '\0' ) { + return false; + } + return true; } diff --git a/src/mp4util.h b/src/mp4util.h index 1fbbd81..b33bb44 100644 --- a/src/mp4util.h +++ b/src/mp4util.h @@ -33,7 +33,7 @@ namespace mp4v2 { namespace impl { #ifndef ASSERT # define ASSERT(expr) \ if (!(expr)) { \ - throw new Exception("assert failure: "LIBMPV42_STRINGIFY((expr)), __FILE__, __LINE__, __FUNCTION__ ); \ + throw new Exception("assert failure: " LIBMPV42_STRINGIFY((expr)), __FILE__, __LINE__, __FUNCTION__ ); \ } #endif