VPLAY-12333 mp4demux hardening

[pstroffolino]

VPLAY-12333 mp4demux hardening

Reason for Change: bounds checks and support for 64 bit size

Test Guidance: general regression testing with mp4demux enabled and l1 tests

Risk: Low

[Copilot]

Pull request overview

This pull request adds hardening to the MP4 demuxer by implementing comprehensive bounds checking and support for 64-bit box sizes. The changes aim to prevent buffer overruns and handle malformed or malicious MP4 data more safely.

Changes:

• Added endPtr, mdatStart, and mdatEnd member variables to track buffer boundaries for validation
• Implemented bounds checking in ReadBytes() to prevent reading beyond buffer limits
• Enhanced PSSH box parsing to handle version 1 format with KIDs and improved data size validation
• Strengthened SAIO box parsing with entry count validation and bounds checking
• Added sample data validation in TRUN parsing against mdat range
• Implemented 64-bit box size support in DemuxHelper() for large boxes
• Made sample description box parsing more tolerant of multiple entries

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 9 comments.

File	Description
mp4demux/MP4Demux.h	Added endPtr, mdatStart, mdatEnd member variables and updated Parse() documentation
mp4demux/MP4Demux.cpp	Implemented bounds checking, 64-bit size support, enhanced PSSH/SAIO/TRUN parsing, and mdat range tracking

Comments suppressed due to low confidence (1)

mp4demux/MP4Demux.cpp:674

• The validation logic at lines 661-674 has inverted semantics. When mdatStart and mdatEnd are both set (lines 661-667), only a warning is logged if dataPtr is outside the range. However, when they are NOT set (lines 668-674), a parse error is raised. This suggests that having mdat tracking is considered mandatory, yet the warning for out-of-range dataPtr should likely be an error instead. Consider making the out-of-range condition an error to maintain consistency with the intent of bounds checking.

	// If we tracked an mdat range, validate dataPtr lies within it
	if (mdatStart && mdatEnd)
	{
		if (dataPtr < mdatStart || dataPtr > mdatEnd)
		{
			MP4_LOG_WARN("TRUN dataPtr outside mdat range");
		}
	}
	else
	{
		// mandatory field? should never reach here
		parseError = MP4_PARSE_ERROR_MISSING_DATA_OFFSET;
		MP4_LOG_ERR("Missing data offset in TRUN box");
		return;
	}

[Copilot]

Pull request overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated 17 comments.

[Copilot]

The mdat tracking updates both mdatStart and mdatEnd on every mdat box encountered during parsing. If multiple mdat boxes are present in a segment, only the most recent one's range will be tracked. Consider whether this is the intended behavior or if all mdat ranges should be tracked. Add a comment documenting this behavior if it's intentional.

[Copilot]

The SAIO parsing changes that handle multiple entries (entryCount > 1) need test coverage. Add tests for:

1. SAIO boxes with entryCount > 1 for both version 0 and version 1
2. Boundary conditions where reading all entries would exceed buffer
3. Verify that gotAuxiliaryInformationOffset is only set when parseError is MP4_PARSE_OK
4. Edge case where entryCount == 0 triggers error

[pstroffolino]

@copilot open a new pull request to apply changes based on this feedback

[Copilot]

@pstroffolino I've opened a new pull request, #831, to work on those changes. Once the pull request is ready, I'll request review from you.

[Copilot]

Pull request overview

Copilot reviewed 4 out of 4 changed files in this pull request and generated 8 comments.

Comments suppressed due to low confidence (1)

mp4demux/MP4Demux.cpp:775

• The loop in ParseTrackRun calls multiple Read functions (ReadU32, ReadI32) that can fail and set parseError, but the loop continues without checking parseError status between iterations. If a Read operation fails partway through processing samples, the code will continue accessing potentially invalid data and creating malformed samples. Consider adding parseError checks after each Read operation or at the start of each loop iteration to exit early on error.

	for (auto i = 0u; i < sampleCount; i++)
	{
		samples.emplace_back();
		// Get reference to newly added sample
		AampMediaSample& newSample = samples.back();
		uint32_t sampleLen = defaultSampleSize;
		uint32_t sampleDuration = defaultSampleDuration;
		if (flags & TRUN_SAMPLE_DURATION_PRESENT)
		{
			sampleDuration = ReadU32();
		}
		if (flags & TRUN_SAMPLE_SIZE_PRESENT)
		{
			sampleLen = ReadU32();
		}
		if (flags & TRUN_SAMPLE_FLAGS_PRESENT)
		{ // rarely present?
			sampleFlags = ReadU32();
		}
		int32_t sampleCompositionTimeOffset = 0;
		if (flags & TRUN_SAMPLE_COMPOSITION_TIME_OFFSET_PRESENT)
		{ // for samples where pts and dts differ (overriding 'trex')
			sampleCompositionTimeOffset = ReadI32();
		}
		// Guard: sample buffer must not overrun endPtr (or mdat)
		const uint8_t* hardEnd = mdatEnd?mdatEnd:endPtr;
		if ( dataPtr + sampleLen > hardEnd )
		{
			setParseError( MP4_PARSE_ERROR_DATA_BOUNDARY_MISMATCH );
			return;
		}
		newSample.mData.AppendBytes(dataPtr, sampleLen);
		dataPtr += sampleLen;
		newSample.mDts = dts / (double)timeScale;
		newSample.mPts = (dts + sampleCompositionTimeOffset) / (double)timeScale;
		newSample.mDuration = sampleDuration / (double)timeScale;
		dts += sampleDuration;
	}

[Copilot]

After reading the initial size and type (both via ReadU32), the code should check if parseError is MP4_PARSE_OK before proceeding to use these values. If ReadU32 failed due to bounds checking, the size and type values will be 0, but the code continues to process them, potentially leading to incorrect behavior or confusion about the actual error.

Suggested change

	uint64_t size = ReadU32();
	uint32_t type = ReadU32();
	uint64_t size = ReadU32();
	if (parseError != MP4_PARSE_OK)
	{
	return;
	}
	uint32_t type = ReadU32();
	if (parseError != MP4_PARSE_OK)
	{
	return;
	}

[Copilot]

@pstroffolino I've opened a new pull request, #832, to work on those changes. Once the pull request is ready, I'll request review from you.

[Copilot]

@pstroffolino I've opened a new pull request, #833, to work on those changes. Once the pull request is ready, I'll request review from you.

[rdkcmf-jenkins]

Coverity Issue - Logically dead code

Execution cannot reach this statement: "this->setParseError(MP4_PAR...".

Medium Impact, CWE-561
DEADCODE

[rdkcmf-jenkins]

Coverity Issue - Operands don't affect result

"kidCount > 1152921504606846975UL /* 18446744073709551615UL / 16 */" is always false regardless of the values of its operands. This occurs as the logical operand of "if".

Medium Impact, CWE-569
CONSTANT_EXPRESSION_RESULT

[Copilot]

Pull request overview

Copilot reviewed 8 out of 8 changed files in this pull request and generated 12 comments.

[Copilot]

The test name 'TrunOverrunDetection' expects the parse to fail, but the test implementation appears to validate TRUN overrun detection which is a positive test scenario (detecting an error condition). The test name should more clearly indicate what is being tested, such as 'TrunSampleSizeExceedsMdatPayloadDetected' or 'TrunOverrunCausesParseFailure' to make the test intent clearer.

[Copilot]

The logic for handling the two tenc box layouts is flawed. After trying the standard layout and setting ok=false on line 388, the code unconditionally enters the fallback block on line 394 regardless of whether the standard layout actually succeeded. The condition 'if (!ok)' should guard the entire fallback block, and if the standard layout succeeds (ivSz is 8 or 16 and bounds check passes), the code should skip the fallback and proceed directly to line 415. Currently, even successful standard layout parsing will be overwritten by the fallback attempt.

[pstroffolino]

@copilot open a new pull request to apply changes based on this feedback

[Copilot]

@pstroffolino I've opened a new pull request, #835, to work on those changes. Once the pull request is ready, I'll request review from you.

[Copilot]

Pull request overview

Copilot reviewed 8 out of 8 changed files in this pull request and generated 15 comments.

[Copilot]

The ReadLen function's return type changes from int to uint32_t, which is a breaking API change. While this is an improvement (length should be unsigned), any calling code that stores the result in an int variable may experience issues. Ensure all callers have been reviewed and updated appropriately.

Suggested change

	uint32_t ReadLen();
	int ReadLen();

[Copilot]

The logic for checking TRUN data offset bounds appears incomplete. The check if( mdatStart && (dataPtr < mdatStart || dataPtr >= mdatEnd) ) only validates the starting position of the data, but doesn't verify that dataPtr plus the sample length stays within mdat bounds. This validation happens later at line 801, but if the data_offset field itself points outside mdat, the error could be caught earlier and with a more specific message.

[Copilot]

In the new ReadLen() implementation, when returning 0 on error, the function has already called setParseError. However, callers of ReadLen() may not distinguish between a legitimate length value of 0 and an error condition. Consider documenting that callers must check parseError after calling ReadLen(), or ensure all call sites properly handle this case.

[Copilot]

The variable name ok is used to track validity but is never explicitly checked after being set to false on line 388. The code relies on the fallback path, but it would be clearer to use a more descriptive name like isStandardLayout or validStandardLayout to make the control flow more explicit.

[Copilot]

The accumulation expression rc = (rc<<8) + (*ptr++) changes the original logic from rc = (rc<<8) | (*ptr++). While mathematically equivalent for the intended use case (building a big-endian integer from bytes), using addition instead of bitwise OR is unconventional for byte packing operations and could be confusing to readers familiar with the standard idiom. Consider keeping the bitwise OR for consistency with typical byte-packing patterns.

Suggested change

	rc = (rc<<8) + (*ptr++);
	rc = (rc<<8) | (*ptr++);

[Copilot]

The helper functions write32be, write64be, write4cc, write16be, and the Box struct are defined with internal linkage but lack static keyword or anonymous namespace. According to C++ best practices and the C++ Core Guidelines (C.42), file-scope helper functions should be in an anonymous namespace or marked static to prevent external linkage and potential ODR violations.

[Copilot]

Pull request overview

Copilot reviewed 8 out of 8 changed files in this pull request and generated 7 comments.

Comments suppressed due to low confidence (1)

mp4demux/MP4Demux.cpp:1365

• The default case in the DemuxHelper switch statement at line 1363 contains only a break, which means unknown box types are silently skipped without advancing ptr. This will cause the ptr != next check at line 1370 to fail and set MP4_PARSE_ERROR_DATA_BOUNDARY_MISMATCH. While this might be intentional to catch unhandled boxes, it means that any future box types added to the MP4 spec will cause parse failures unless explicitly added to the switch. Consider whether unknown boxes should be handled more gracefully (e.g., by advancing ptr = next in the default case) to allow forward compatibility.

			default:
				break;
		}

[Copilot]

The line 1203 assigns directly to parseError instead of calling setParseError(). This is inconsistent with the rest of the code which uses setParseError() for logging and error state management. This direct assignment bypasses the logging provided by setParseError().

Suggested change

	parseError = MP4_PARSE_ERROR_DATA_BOUNDARY_MISMATCH;
	setParseError( MP4_PARSE_ERROR_DATA_BOUNDARY_MISMATCH );

[Copilot]

In the ParseTrackEncryptionBox function, the comment on lines 376-378 mentions that a legacy/variant pattern with a "pattern" byte is "not supported", but the old code on lines being removed actually handled the pattern byte for CBCS cipher. The new implementation removes this handling entirely without setting an error. If this pattern is truly unsupported and might be encountered, the function should detect it and set an appropriate parse error rather than silently proceeding with potentially incorrect parsing.

[Copilot]

The bounds check condition at line 750 only validates dataPtr against mdat boundaries if mdatStart is set, but doesn't handle the case where mdatStart is nullptr. If mdatStart is nullptr (which happens before any mdat box is parsed), this check is skipped entirely. This could allow dataPtr to point to arbitrary memory before an mdat box has been encountered. Consider whether validation is needed in the mdatStart==nullptr case, or document why it's safe to skip.

[Copilot]

The data_offset value in the test data was changed from 0x2D5 (725) to 0xB2 (178). The comment explains this is "from start of moof" but the old comment mentioned it was calculated from moov + moof + mdat header - moof header. This appears to be a test data correction, but there's no explanation in the PR description about why the original value was incorrect. Consider adding a comment explaining why this specific value is now correct to aid future maintenance.

Suggested change

	0x00,0x00,0x00,0xB2, // data_offset = 178 (from start of moof)
	0x00,0x00,0x00,0xB2, // data_offset = 178 bytes from start of moof.
	// In this synthetic test fragment the moof is followed
	// immediately by an mdat; 0xB2 is the byte offset from
	// the beginning of the moof box to the first media
	// sample in that mdat. The previous value 0x2D5 was
	// computed using a full-file layout (moov + moof +
	// mdat header - moof header) and did not match the
	// isolated moof/mdat structure used in these tests.

[Copilot]

The check for parseError in ReadU32() is missing. After calling ReadU32() to read size and type, if parseError is set by ReadBytes(), the subsequent logic should not proceed. While there is a check after ReadU32() for type at line 1172, there is no check after the first ReadU32() for size at line 1170.

Suggested change

	uint64_t size = ReadU32();
	uint64_t size = ReadU32();
	if( parseError != MP4_PARSE_OK ) return;

[Copilot]

The condition at line 786 uses a ternary operator to choose between mdatEnd and endPtr as the hard boundary. However, if mdatEnd is set but less than endPtr (which should always be the case for a valid mdat box within the buffer), using mdatEnd provides tighter bounds checking. But if mdatEnd is somehow greater than endPtr due to a malformed box, this could allow reading beyond the buffer. Consider adding an assertion or check that mdatEnd <= endPtr when mdatEnd is set to catch malformed state early.

[Copilot]

Pull request overview

Copilot reviewed 8 out of 8 changed files in this pull request and generated 9 comments.

[Copilot]

The MultiChar_Constant macro has been changed from bitwise OR (|) to addition (+). While mathematically equivalent for non-overlapping bit fields, the OR operator is more semantically appropriate for combining independent bit positions and is the conventional pattern for this type of FourCC construction. Consider reverting to the OR operator for consistency with common practice.

Suggested change

	+ (static_cast<uint32_t>(TEXT[1]) << 0x10) \
	+ (static_cast<uint32_t>(TEXT[2]) << 0x08) \
	+ (static_cast<uint32_t>(TEXT[3]) << 0x00) )
	| (static_cast<uint32_t>(TEXT[1]) << 0x10) \
	| (static_cast<uint32_t>(TEXT[2]) << 0x08) \
	| (static_cast<uint32_t>(TEXT[3]) << 0x00) )

[Copilot]

The Mp4ParseException class should follow modern C++ RAII and exception best practices. The 'what' string is passed as a const char* which may point to temporary storage. Consider using std::string for the 'what' parameter to ensure the message is safely stored, or document that the caller must ensure the string lifetime exceeds the exception lifetime.

[Copilot]

The SIZE_MAX conditional compilation check is good defensive programming. However, on modern 64-bit systems, the else case (no overflow check) allows kidCount values up to UINT32_MAX which could still cause issues if kidCount * 16 exceeds available memory. Consider adding a sanity check even on 64-bit platforms, such as limiting kidCount to a reasonable maximum (e.g., 1000 or 10000 KIDs).

[Copilot]

The TRUN parsing validation checks if dataPtr is within mdat bounds, but this check only occurs if mdatStart is non-null. If an MP4 stream has a TRUN box without a preceding MDAT box (malformed but possible), dataPtr will not be validated against endPtr. Consider adding a fallback check against endPtr when mdatStart is null to ensure dataPtr is always within valid bounds.

Suggested change

	if( mdatStart && (dataPtr < mdatStart || dataPtr >= mdatEnd) )
	if( (mdatStart && (dataPtr < mdatStart || dataPtr >= mdatEnd)) ||
	(!mdatStart && (dataPtr >= endPtr)) )

[Copilot]

The ReadLen function correctly implements overflow detection for variable-length integers. However, the overflow check happens after incrementing 'bits' by 7 each iteration. For clarity and to avoid potential edge cases, consider checking if adding 7 more bits would exceed 32 before updating 'rc', or restructure to check 'bits >= 32' before the shift-and-add operation.

[Copilot]

The test is checking floating-point equality with EXPECT_NEAR using a tolerance of 1e-6. While this is an improvement over exact equality checks (EXPECT_EQ), consider whether this tolerance is appropriate for the timescale being used (30000). For values like 0.1 seconds, the actual representation at this timescale would be 3000/30000, which is exactly representable. Document why EXPECT_NEAR is needed here or use EXPECT_DOUBLE_EQ if exact equality is expected after the division.

[Copilot]

In the extended box size handling (size==1), the code subtracts 16 from the 64-bit largesize to get the payload size. However, there's no check to ensure that size is castable to size_t before the addition 'ptr + size'. On 32-bit systems where size_t is 32 bits, a 64-bit box size larger than SIZE_MAX would cause the pointer arithmetic to overflow. Consider adding a check: if size > SIZE_MAX, throw an appropriate exception.

[Copilot]

The generic catch block for std::exception maps all unknown exceptions to MP4_PARSE_ERROR_INVALID_BOX, which may be misleading. For example, a std::bad_alloc would be mapped to INVALID_BOX rather than an out-of-memory error. Consider either adding specific handlers for common exceptions (bad_alloc, etc.) or using a more generic error code like MP4_PARSE_ERROR_INTERNAL for unexpected exceptions.

Suggested change

	// Map unknown std exceptions to a generic parse error
	setParseError(MP4_PARSE_ERROR_INVALID_BOX);
	// Map unknown std exceptions to a generic internal parse error
	setParseError(MP4_PARSE_ERROR_INTERNAL);

[Copilot]

The Box helper struct uses a boolean 'extended' flag to track whether 64-bit size is used, but initializes it in the constructor based on 'forceExtended' and then conditionally modifies buf[start+3] to set size to 1. This approach modifies already-written bytes. A cleaner approach would be to write the correct size value initially rather than writing 0 and then modifying. Consider refactoring to write the correct initial size field based on the extended flag.

[Vinish100]

Replace hardcoded numbers with macro for better readability?

[Vinish100]

I think the boundary checks can be replaced with a macro, would look clean
This seems to be a common logic with len and the errorMsg being the variables

[pstroffolino]

fine idea, but can defer

[Copilot]

Pull request overview

Copilot reviewed 8 out of 8 changed files in this pull request and generated 11 comments.

[Copilot]

The encode_len function could benefit from input validation. If value is 0, it will create a vector with a single element 0x00, which is correct. However, for large values that require more than 4 continuation bytes, this could create varint encodings longer than what Mp4Demux::ReadLen() can handle (which now enforces a 32-bit limit and throws on overflow). Consider adding a check and comment about the maximum value that can be encoded (2^28 - 1 for 4-byte encoding).

[Copilot]

The error code MP4_PARSE_ERROR_MISSING_DATA_OFFSET has been removed from the enum but this appears to be intentional as the code no longer treats missing data_offset as an error (the check has been removed from ParseTrackRun). However, this is a breaking change to the public API enum that could affect external code checking for this specific error. Consider documenting this breaking change or adding a deprecation notice if backward compatibility is a concern.

Suggested change

	MP4_PARSE_ERROR_UNEXPECTED_IS_ENCRYPTED_FIELD /**< is_encrypted not 0 or 1 */
	MP4_PARSE_ERROR_UNEXPECTED_IS_ENCRYPTED_FIELD, /**< is_encrypted not 0 or 1 */
	MP4_PARSE_ERROR_MISSING_DATA_OFFSET /**< Deprecated: maintained for backward compatibility; no longer used */

[Copilot]

The ReadLen() method return type has been changed from int to uint32_t. This is a good improvement for type safety since lengths should never be negative. However, this is a breaking API change for any code that may have assigned the result to an int variable. Ensure this change is documented in release notes.

Suggested change

	* @return Length value
	*
	* This method reads a length field that is encoded using a variable-length
	* scheme. The returned value is always non-negative and represented as
	* an unsigned 32-bit integer.
	*
	* @return Length value as uint32_t
	*
	* @note The return type of this method was changed from int to uint32_t
	* to improve type safety (lengths are never negative). Callers
	* should ensure they do not rely on negative values and avoid
	* unintended narrowing conversions to signed types.

[Copilot]

The double semicolon is a syntax error. Remove one semicolon at the end of this line.

[Copilot]

The sampleFlags variable is read but marked with (void) to suppress unused variable warnings on lines 687 and 708. If sampleFlags is genuinely unused, consider removing the read entirely rather than reading and voiding it. If it will be used in future code, add a TODO comment explaining the intended usage. The current pattern of reading then voiding is unclear about the intent.

Suggested change

	{ // rarely present?
	sampleFlags = ReadU32();
	(void)sampleFlags;
	{ // rarely present? currently ignored, but must advance stream
	ReadU32();

[Copilot]

There are unnecessary blank lines added (lines 801 and 803) around the data_offset bytes. These should be removed for consistency with the surrounding test data formatting, where hex bytes are listed consecutively without blank line separators.

Suggested change

	0x00,0x00,0x00,0xB2, // data_offset = 178 (from start of moof)
	0x00,0x00,0x00,0xB2, // data_offset = 178 (from start of moof)

[Copilot]

The SIZE_MAX check for overflow protection is only needed on 32-bit platforms, but the conditional compilation guard checks if SIZE_MAX is 32-bit or smaller. However, SIZE_MAX is always defined as the maximum value for size_t, so this check would be more accurately expressed as checking the size of size_t directly: #if UINTPTR_MAX <= 0xffffffff or #if SIZE_MAX <= 0xffffffff. The current condition is correct but the comment should clarify that this protects against overflow when kidCount*16 exceeds SIZE_MAX on platforms where size_t is 32-bit.