Skip to content

Fix integer overflow in PSSH box KID count validation #831

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
Copilot wants to merge 2 commits into from
Closed

Fix integer overflow in PSSH box KID count validation #831

Copilot wants to merge 2 commits into from

Conversation

Copy link
Contributor

Copilot AI commented Jan 10, 2026
edited
Loading

Addresses potential integer overflow in ParseProtectionSystemSpecificHeaderBox where kidCount * 16 multiplication could wrap around, bypassing bounds checks and causing buffer overruns with malformed MP4 files.

Changes:

  • Add overflow validation before kidCount * 16 multiplication
  • Include <cstdint> for SIZE_MAX constant
  • Log error when overflow detected
uint32_t kidCount = ReadU32();
// Check for integer overflow before multiplication
if (kidCount > SIZE_MAX / 16)
{
    parseError = MP4_PARSE_ERROR_DATA_BOUNDARY_MISMATCH;
    MP4_LOG_ERR("Invalid KID count %u would cause integer overflow", kidCount);
    return;
}
size_t kidBytes = static_cast<size_t>(kidCount) * 16;

Without this check, a malicious kidCount value (e.g., SIZE_MAX / 16 + 1) would overflow to a small value, pass the subsequent bounds check at line 404, but advance ptr incorrectly at line 410.

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

Copilot AI mentioned this pull request Jan 10, 2026
Merged
@pstroffolino
Add integer overflow check for kidCount multiplication in PSSH parsing
83d35c0 
Co-authored-by: pstroffolino <20442081+pstroffolino@users.noreply.github.com>
Copilot AI changed the title [WIP] WIP address feedback on VPLAY-12333 mp4demux hardening PR Fix integer overflow in PSSH box KID count validation Jan 10, 2026
Copilot AI requested a review from pstroffolino January 10, 2026 22:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pstroffolino pstroffolino Awaiting requested review from pstroffolino

Assignees

@pstroffolino pstroffolino

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@pstroffolino