3.0.3

mp4v2-Win/include/mp4v2/project.h

@@ -6,17 +6,17 @@
 #define MP4V2_PROJECT_name            "MP4v2"
 #define MP4V2_PROJECT_name_lower      "mp4v2"
 #define MP4V2_PROJECT_name_upper      "MP4V2"
-#define MP4V2_PROJECT_name_formal     "MP4v2 3.0.3.0"
+#define MP4V2_PROJECT_name_formal     "MP4v2 3.0.4.0"
 #define MP4V2_PROJECT_url_website     "http://code.google.com/p/mp4v2"
 #define MP4V2_PROJECT_url_downloads   "http://code.google.com/p/mp4v2/downloads/list"
 #define MP4V2_PROJECT_url_discussion  "http://groups.google.com/group/mp4v2"
 #define MP4V2_PROJECT_irc             "irc://irc.freenode.net/handbrake"
 #define MP4V2_PROJECT_bugreport       "<[email protected]>"
-#define MP4V2_PROJECT_version         "3.0.3.0"
+#define MP4V2_PROJECT_version         "3.0.4.0"
 #define MP4V2_PROJECT_version_hex     0x00020100
 #define MP4V2_PROJECT_version_major   3
 #define MP4V2_PROJECT_version_minor   0
-#define MP4V2_PROJECT_version_point   3
+#define MP4V2_PROJECT_version_point   4
 #define MP4V2_PROJECT_repo_url        "https://mp4v2.googlecode.com/svn/trunk"
 #define MP4V2_PROJECT_repo_root       "https://mp4v2.googlecode.com/svn"
 #define MP4V2_PROJECT_repo_uuid       "6e6572fa-98a6-11dd-ad9f-f77439c74b79"

mp4v2-Win/mp4v2.autopkg

@@ -10,7 +10,7 @@ nuget
    nuspec
    {
       id = mp4v2;
-      version: 3.0.3.0;
+      version: 3.0.4.0;
       title: MP4v2 Library;
       authors: { TechSmith Corporation };
       owners: { TechSmith Corporation };
@@ -27,7 +27,8 @@ nuget
          3.0.1.0 Bumping the version number since some new functions were added in the past three commits
          3.0.1.1 Sync version number in .autopkg with the one in mp4v2/project.h
          3.0.2.0 Picking up Stephen Wagner's updates to handle PNG MOVs
-         3.0.3.0 Fixing a bug where version number 3.0.2 was inconsistent in project.h";
+         3.0.3.0 Fixing a bug where version number 3.0.2 was inconsistent in project.h
+         3.0.4.0 Security fixes";
       copyright: "";
       tags: { native, mp4v2, mp4, vs2015 };
    };

src/mp4array.h

@@ -102,6 +102,8 @@ class MP4Array {
         void Resize(MP4ArrayIndex newSize) { \
             m_numElements = newSize; \
             m_maxNumElements = newSize; \
+            if ( (uint64_t) m_maxNumElements * sizeof(type) > 0xFFFFFFFF ) \
+               throw new PlatformException("requested array size exceeds 4GB", ERANGE, __FILE__, __LINE__, __FUNCTION__); /* prevent overflow */ \
             m_elements = (type*)MP4Realloc(m_elements, \
                 m_maxNumElements * sizeof(type)); \
         } \

src/mp4atom.cpp

@@ -143,6 +143,13 @@ MP4Atom* MP4Atom::ReadAtom(MP4File& file, MP4Atom* pParentAtom)
         dataSize = file.GetSize() - pos;
     }
 
+    // Prevent integer underflow due to incorrect atom size read from file
+    if ( dataSize < hdrSize ) {
+       ostringstream oss;
+       oss << "Invalid atom size in '" << type << "' atom, dataSize = " << dataSize << " cannot be less than hdrSize = " << static_cast<unsigned>( hdrSize );
+       log.errorf( "%s: \"%s\": %s", __FUNCTION__, file.GetFilename().c_str(), oss.str().c_str() );
+       throw new Exception( oss.str().c_str(), __FILE__, __LINE__, __FUNCTION__ );
+    }
     dataSize -= hdrSize;
 
     log.verbose1f("\"%s\": type = \"%s\" data-size = %" PRIu64 " (0x%" PRIx64 ") hdr %u",
@@ -778,8 +785,10 @@ MP4Atom::factory( MP4File &file, MP4Atom* parent, const char* type )
         const char* const ptype = parent->GetType();
 
         if( descendsFrom( parent, "ilst" )) {
-            if( ATOMID( ptype ) == ATOMID( "ilst" ))
-                return new MP4ItemAtom( file, type );
+            if( ATOMID( ptype ) == ATOMID( "ilst" )) {
+               ASSERT( ATOMID( type ) != ATOMID( "ilst" ));  // don't allow ilst to be a child of ilst
+               return new MP4ItemAtom( file, type );
+            }
 
             if( ATOMID( type ) == ATOMID( "data" ))
                 return new MP4DataAtom(file);

src/mp4property.cpp

@@ -391,8 +391,10 @@ void MP4StringProperty::Read( MP4File& file, uint32_t index )
         char*& value = m_values[i];
 
         // Generally a default atom setting, e.g. see atom_avc1.cpp, "JVT/AVC Coding"; we'll leak this string if
-        // we don't free.  Note that MP4Free checks for null.
-        MP4Free(value); 
+        // we don't free.  Note that this code checks for null before calling free and sets the pointer to null
+        // after freeing it, to prevent a double free in case an exception occurs before the value is reassigned.
+        MP4Free( value );
+        value = NULL;
 
         if( m_useCountedFormat ) {
             value = file.ReadCountedString( (m_useUnicode ? 2 : 1), m_useExpandedCount, m_fixedLength );

src/mp4util.cpp

@@ -46,6 +46,12 @@ bool MP4NameFirstMatches(const char* s1, const char* s2)
         s1++;
         s2++;
     }
+
+    // Make sure we finished the loop by using up s2, not s1
+    if ( *s2 != '[' && *s2 != '.' && *s2 != '\0' ) {
+        return false;
+    }
+
     return true;
 }
 

src/mp4util.h

@@ -33,7 +33,7 @@ namespace mp4v2 { namespace impl {
 #ifndef ASSERT
 #   define ASSERT(expr) \
         if (!(expr)) { \
-            throw new Exception("assert failure: "LIBMPV42_STRINGIFY((expr)), __FILE__, __LINE__, __FUNCTION__ ); \
+            throw new Exception("assert failure: " LIBMPV42_STRINGIFY((expr)), __FILE__, __LINE__, __FUNCTION__ ); \
         }
 #endif