Merge pull request #935 from roticv/master

More fixes for issues caught by fuzzer
axiomatic-systems · Apr 6, 2024 · b2e4c13 · b2e4c13
2 parents 525027c + 26df396
commit b2e4c13
Show file tree

Hide file tree

Showing 5 changed files with 13 additions and 3 deletions.
diff --git a/Source/C++/Core/Ap4ContainerAtom.cpp b/Source/C++/Core/Ap4ContainerAtom.cpp
@@ -136,6 +136,7 @@ AP4_ContainerAtom::AP4_ContainerAtom(Type             type,
                                      AP4_AtomFactory& atom_factory) :
     AP4_Atom(type, size, force_64)
 {
+    if (size < GetHeaderSize()) return;
     ReadChildren(atom_factory, stream, size-GetHeaderSize());
 }
 
@@ -151,6 +152,7 @@ AP4_ContainerAtom::AP4_ContainerAtom(Type             type,
                                      AP4_AtomFactory& atom_factory) :
     AP4_Atom(type, size, force_64, version, flags)
 {
+    if (size < GetHeaderSize()) return;
     ReadChildren(atom_factory, stream, size-GetHeaderSize());
 }
 

diff --git a/Source/C++/Core/Ap4OdheAtom.cpp b/Source/C++/Core/Ap4OdheAtom.cpp
@@ -64,9 +64,11 @@ AP4_OdheAtom::AP4_OdheAtom(AP4_UI32         size,
                            AP4_AtomFactory& atom_factory) :
     AP4_ContainerAtom(AP4_ATOM_TYPE_ODHE, size, false, version, flags)
 {
+    if (size < AP4_FULL_ATOM_HEADER_SIZE+1) return;
     // read the content type
     AP4_UI08 content_type_length;
     stream.ReadUI08(content_type_length);
+    if (size < AP4_FULL_ATOM_HEADER_SIZE+1+content_type_length) return;
     char content_type[256];
     stream.Read(content_type, content_type_length);
     m_ContentType.Assign(content_type, content_type_length);

diff --git a/Source/C++/Core/Ap4SaioAtom.cpp b/Source/C++/Core/Ap4SaioAtom.cpp
@@ -97,12 +97,14 @@ AP4_SaioAtom::AP4_SaioAtom(AP4_UI32        size,
     m_AuxInfoType(0),
     m_AuxInfoTypeParameter(0)
 {
-    AP4_UI32 remains = size-GetHeaderSize();
+    AP4_SI32 remains = size-AP4_FULL_ATOM_HEADER_SIZE;
     if (flags & 1) {
+        if (remains < 8) return;
         stream.ReadUI32(m_AuxInfoType);
         stream.ReadUI32(m_AuxInfoTypeParameter);
         remains -= 8;
     }
+    if (remains < 4) return;
     AP4_UI32 entry_count = 0;
     AP4_Result result = stream.ReadUI32(entry_count);
     if (AP4_FAILED(result)) return;

diff --git a/Source/C++/Core/Ap4SbgpAtom.cpp b/Source/C++/Core/Ap4SbgpAtom.cpp
@@ -73,18 +73,21 @@ AP4_SbgpAtom::AP4_SbgpAtom(AP4_UI32        size,
     m_GroupingType(0),
     m_GroupingTypeParameter(0)
 {
-    AP4_UI32 remains = size-GetHeaderSize();
+    if (size < AP4_FULL_ATOM_HEADER_SIZE + 4) return;
+    AP4_UI32 remains = size-AP4_FULL_ATOM_HEADER_SIZE;
     stream.ReadUI32(m_GroupingType);
     remains -= 4;
     if (version >= 1) {
+        if (remains < 4) return;
         stream.ReadUI32(m_GroupingTypeParameter);
         remains -= 4;
     }
+    if (remains < 4) return;
     AP4_UI32 entry_count = 0;
     AP4_Result result = stream.ReadUI32(entry_count);
     if (AP4_FAILED(result)) return;
     remains -= 4;
-    if (remains < entry_count*8) {
+    if (remains < (AP4_UI64)entry_count*8) {
         return;
     }
     m_Entries.SetItemCount(entry_count);

diff --git a/Source/C++/Core/Ap4StsdAtom.cpp b/Source/C++/Core/Ap4StsdAtom.cpp
@@ -87,6 +87,7 @@ AP4_StsdAtom::AP4_StsdAtom(AP4_UI32         size,
                            AP4_AtomFactory& atom_factory) :
     AP4_ContainerAtom(AP4_ATOM_TYPE_STSD, size, false, version, flags)
 {
+    if (size < AP4_FULL_ATOM_HEADER_SIZE + 4) return;
     // read the number of entries
     AP4_UI32 entry_count;
     stream.ReadUI32(entry_count);