Commit 19816b86 authored by Fabian Yamaguchi's avatar Fabian Yamaguchi Committed by Jean-Baptiste Kempf

codec: schroedinger: fix potential buffer overflow.

The variable len is a raw 32 bit value read using GetDWBE. If this
value is larger than UINT32_MAX - sizeof(eos), this will cause an
integer overflow in the subsequent call to malloc, and finally a
buffer overflow when calling memcpy. We fix this by checking len
accordingly.
Signed-off-by: default avatarJean-Baptiste Kempf <jb@videolan.org>
(cherry picked from commit 9bb0353a5c63a7f8c6fc853faa3df4b4df1f5eb5)
Signed-off-by: default avatarJean-Baptiste Kempf <jb@videolan.org>
parent 7c28c94a
...@@ -1548,6 +1548,10 @@ static block_t *Encode( encoder_t *p_enc, picture_t *p_pic ) ...@@ -1548,6 +1548,10 @@ static block_t *Encode( encoder_t *p_enc, picture_t *p_pic )
* is appended to the sequence header to allow guard * is appended to the sequence header to allow guard
* against poor streaming servers */ * against poor streaming servers */
/* XXX, should this be done using the packetizer ? */ /* XXX, should this be done using the packetizer ? */
if( len > UINT32_MAX - sizeof( eos ) )
return NULL;
p_enc->fmt_out.p_extra = malloc( len + sizeof( eos ) ); p_enc->fmt_out.p_extra = malloc( len + sizeof( eos ) );
if( !p_enc->fmt_out.p_extra ) if( !p_enc->fmt_out.p_extra )
return NULL; return NULL;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment