codec: schroedinger: fix potential buffer overflow.

The variable len is a raw 32 bit value read using GetDWBE. If this value is larger than UINT32_MAX - sizeof(eos), this will cause an integer overflow in the subsequent call to malloc, and finally a buffer overflow when calling memcpy. We fix this by checking len accordingly. Signed-off-by: Jean-Baptiste Kempf <jb@videolan.org> (cherry picked from commit 9bb0353a5c63a7f8c6fc853faa3df4b4df1f5eb5) Signed-off-by: Jean-Baptiste Kempf <jb@videolan.org>

codec: schroedinger: fix potential buffer overflow.
The variable len is a raw 32 bit value read using GetDWBE. If this value is larger than UINT32_MAX - sizeof(eos), this will cause an integer overflow in the subsequent call to malloc, and finally a buffer overflow when calling memcpy. We fix this by checking len accordingly. Signed-off-by: Jean-Baptiste Kempf <jb@videolan.org> (cherry picked from commit 9bb0353a5c63a7f8c6fc853faa3df4b4df1f5eb5) Signed-off-by: Jean-Baptiste Kempf <jb@videolan.org>
19816b86 · Fabian Yamaguchi · Jean-Baptiste Kempf · 7c28c94a · 19816b86
Commit 19816b86 authored Dec 05, 2014 by Fabian Yamaguchi Committed by Jean-Baptiste Kempf Mar 26, 2015
Hide whitespace changes
Inline Side-by-side

Showing with 4 additions and 0 deletions

modules/codec/schroedinger.c modules/codec/schroedinger.c +4 -0

No files found.
--- a/modules/codec/schroedinger.c
+++ b/modules/codec/schroedinger.c
@@ -1548,6 +1548,10 @@ static block_t *Encode( encoder_t *p_enc, picture_t *p_pic )
                     * is appended to the sequence header to allow guard
                     * against poor streaming servers */
                    /* XXX, should this be done using the packetizer ? */
+
+                    if( len > UINT32_MAX - sizeof( eos ) )
+                        return NULL;
+
                    p_enc->fmt_out.p_extra = malloc( len + sizeof( eos ) );
                    if( !p_enc->fmt_out.p_extra )
                        return NULL;