Skip to content

V
vlc-2-2
Commit a353bd1b authored by Rémi Denis-Courmont's avatar Rémi Denis-Courmont
Browse files
Options

Fix a bunch of potential segmentation faults: 

 - out of bound read initially uncovered by sam,
 - also malloc() can really return NULL for arbitrary large alloc,
   return value MUST be checked.
parent 43ab4679
Hide whitespace changes
Inline Side-by-side
Showing with 24 additions and 2 deletions
modules/demux/asf/libasf.c
View file @ a353bd1b
...@@ -491,13 +491,14 @@ static int ASF_ReadObject_stream_properties( stream_t *s, asf_object_t *p_obj ) ...@@ -491,13 +491,14 @@ static int ASF_ReadObject_stream_properties( stream_t *s, asf_object_t *p_obj )
{ {
asf_object_stream_properties_t *p_sp = asf_object_stream_properties_t *p_sp =
(asf_object_stream_properties_t*)p_obj; (asf_object_stream_properties_t*)p_obj;
int i_peek; size_t i_peek;
uint8_t *p_peek; uint8_t *p_peek;
if( ( i_peek = stream_Peek( s, &p_peek, p_sp->i_object_size ) ) < 74 ) if( ( i_peek = stream_Peek( s, &p_peek, p_sp->i_object_size ) ) < 78 )
{ {
return VLC_EGENERIC; return VLC_EGENERIC;
} }
ASF_GetGUID( &p_sp->i_stream_type, p_peek + 24 ); ASF_GetGUID( &p_sp->i_stream_type, p_peek + 24 );
ASF_GetGUID( &p_sp->i_error_correction_type, p_peek + 40 ); ASF_GetGUID( &p_sp->i_error_correction_type, p_peek + 40 );
p_sp->i_time_offset = GetQWLE( p_peek + 56 ); p_sp->i_time_offset = GetQWLE( p_peek + 56 );
...@@ -506,21 +507,42 @@ static int ASF_ReadObject_stream_properties( stream_t *s, asf_object_t *p_obj ) ...@@ -506,21 +507,42 @@ static int ASF_ReadObject_stream_properties( stream_t *s, asf_object_t *p_obj )
p_sp->i_flags = GetWLE( p_peek + 72 ); p_sp->i_flags = GetWLE( p_peek + 72 );
p_sp->i_stream_number = p_sp->i_flags&0x07f; p_sp->i_stream_number = p_sp->i_flags&0x07f;
p_sp->i_reserved = GetDWLE( p_peek + 74 ); p_sp->i_reserved = GetDWLE( p_peek + 74 );
i_peek -= 78;
if( p_sp->i_type_specific_data_length ) if( p_sp->i_type_specific_data_length )
{ {
if( i_peek < p_sp->i_type_specific_data_length )
return VLC_EGENERIC;
p_sp->p_type_specific_data = p_sp->p_type_specific_data =
malloc( p_sp->i_type_specific_data_length ); malloc( p_sp->i_type_specific_data_length );
if( p_sp->p_type_specific_data == NULL )
return VLC_ENOMEM;
memcpy( p_sp->p_type_specific_data, p_peek + 78, memcpy( p_sp->p_type_specific_data, p_peek + 78,
p_sp->i_type_specific_data_length ); p_sp->i_type_specific_data_length );
i_peek -= p_sp->i_type_specific_data_length;
} }
else else
{ {
p_sp->p_type_specific_data = NULL; p_sp->p_type_specific_data = NULL;
} }
if( p_sp->i_error_correction_data_length ) if( p_sp->i_error_correction_data_length )
{ {
if( i_peek < p_sp->i_error_correction_data_length )
{
free( p_sp->p_type_specific_data );
return VLC_EGENERIC;
}
p_sp->p_error_correction_data = p_sp->p_error_correction_data =
malloc( p_sp->i_error_correction_data_length ); malloc( p_sp->i_error_correction_data_length );
if( p_sp->p_error_correction_data == NULL )
{
free( p_sp->p_type_specific_data );
return VLC_ENOMEM;
}
memcpy( p_sp->p_error_correction_data, memcpy( p_sp->p_error_correction_data,
p_peek + 78 + p_sp->i_type_specific_data_length, p_peek + 78 + p_sp->i_type_specific_data_length,
p_sp->i_error_correction_data_length ); p_sp->i_error_correction_data_length );
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment