Commit 3e7f0de5 authored by Rémi Denis-Courmont's avatar Rémi Denis-Courmont

real: fix heap buffer overflow (CVE-2011-2587)

(cherry picked from commit 1bce40644cddee93b4b1877a94a6ce345f32852c)
parent d5f6738c
...@@ -841,7 +841,8 @@ static void DemuxAudioSipr( demux_t *p_demux, real_track_t *tk, mtime_t i_pts ) ...@@ -841,7 +841,8 @@ static void DemuxAudioSipr( demux_t *p_demux, real_track_t *tk, mtime_t i_pts )
demux_sys_t *p_sys = p_demux->p_sys; demux_sys_t *p_sys = p_demux->p_sys;
block_t *p_block = tk->p_sipr_packet; block_t *p_block = tk->p_sipr_packet;
if( p_sys->i_buffer < tk->i_frame_size ) if( p_sys->i_buffer < tk->i_frame_size
|| tk->i_sipr_subpacket_count >= tk->i_subpacket_h )
return; return;
if( !p_block ) if( !p_block )
...@@ -851,7 +852,6 @@ static void DemuxAudioSipr( demux_t *p_demux, real_track_t *tk, mtime_t i_pts ) ...@@ -851,7 +852,6 @@ static void DemuxAudioSipr( demux_t *p_demux, real_track_t *tk, mtime_t i_pts )
return; return;
tk->p_sipr_packet = p_block; tk->p_sipr_packet = p_block;
} }
memcpy( p_block->p_buffer + tk->i_sipr_subpacket_count * tk->i_frame_size, memcpy( p_block->p_buffer + tk->i_sipr_subpacket_count * tk->i_frame_size,
p_sys->buffer, tk->i_frame_size ); p_sys->buffer, tk->i_frame_size );
if (!tk->i_sipr_subpacket_count) if (!tk->i_sipr_subpacket_count)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment