Add boundary checks to Ap4SbgpAtom

Fuzzer caught another large malloc. This is caused by lack of boundary check in Ap4SbgpAtom causing underflow.
axiomatic-systems · Mar 24, 2024 · f9f6b22 · f9f6b22
1 parent 84b95d4
commit f9f6b22
Showing 1 changed file with 4 additions and 1 deletion.
diff --git a/Source/C++/Core/Ap4SbgpAtom.cpp b/Source/C++/Core/Ap4SbgpAtom.cpp
@@ -73,13 +73,16 @@ AP4_SbgpAtom::AP4_SbgpAtom(AP4_UI32        size,
     m_GroupingType(0),
     m_GroupingTypeParameter(0)
 {
-    AP4_UI32 remains = size-GetHeaderSize();
+    if (size < AP4_FULL_ATOM_HEADER_SIZE + 4) return;
+    AP4_UI32 remains = size-AP4_FULL_ATOM_HEADER_SIZE;
     stream.ReadUI32(m_GroupingType);
     remains -= 4;
     if (version >= 1) {
+        if (remains < 4) return;
         stream.ReadUI32(m_GroupingTypeParameter);
         remains -= 4;
     }
+    if (remains < 4) return;
     AP4_UI32 entry_count = 0;
     AP4_Result result = stream.ReadUI32(entry_count);
     if (AP4_FAILED(result)) return;