From 70d823ccd8e2d7d0ed9e62fb7e8983d21e6acbeb Mon Sep 17 00:00:00 2001
From: Tom Sirgedas <T.Sirgedas@techsmith.com>
Date: Thu, 14 Mar 2019 14:23:17 -0400
Subject: [PATCH] fix vulnerability where an atom list size is enormous

and calculating the number of bytes needed to hold the list overflows

Addresses https://nvd.nist.gov/vuln/detail/CVE-2018-14326 and https://nvd.nist.gov/vuln/detail/CVE-2018-14446
---
 src/mp4array.h | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/mp4array.h b/src/mp4array.h
index c49d59b..69d470a 100644
--- a/src/mp4array.h
+++ b/src/mp4array.h
@@ -102,6 +102,8 @@ class MP4Array {
         void Resize(MP4ArrayIndex newSize) { \
             m_numElements = newSize; \
             m_maxNumElements = newSize; \
+            if ( (uint64_t) m_maxNumElements * sizeof(type) > 0xFFFFFFFF ) \
+               throw new PlatformException("requested array size exceeds 4GB", ERANGE, __FILE__, __LINE__, __FUNCTION__); /* prevent overflow */ \
             m_elements = (type*)MP4Realloc(m_elements, \
                 m_maxNumElements * sizeof(type)); \
         } \