Commit 0ce0cc9f authored by Rémi Denis-Courmont's avatar Rémi Denis-Courmont

Protect against vobsub lines overflow

(probably impossible in practice as memory would run out first)
parent 3fc2289a
...@@ -34,6 +34,7 @@ ...@@ -34,6 +34,7 @@
#include <errno.h> #include <errno.h>
#include <sys/types.h> #include <sys/types.h>
#include <limits.h>
#include <vlc_demux.h> #include <vlc_demux.h>
#include <vlc_charset.h> #include <vlc_charset.h>
...@@ -417,47 +418,35 @@ static int Demux( demux_t *p_demux ) ...@@ -417,47 +418,35 @@ static int Demux( demux_t *p_demux )
static int TextLoad( text_t *txt, stream_t *s ) static int TextLoad( text_t *txt, stream_t *s )
{ {
int i_line_max; char **lines = NULL;
size_t n = 0;
/* init txt */
i_line_max = 500;
txt->i_line_count = 0;
txt->i_line = 0;
txt->line = calloc( i_line_max, sizeof( char * ) );
if( !txt->line )
return VLC_EGENERIC;
/* load the complete file */ /* load the complete file */
for( ;; ) for( ;; )
{ {
char *psz = stream_ReadLine( s ); char *psz = stream_ReadLine( s );
char **ppsz_new;
if( psz == NULL ) if( psz == NULL || (n >= INT_MAX/sizeof(char *)) )
break; break;
txt->line[txt->i_line_count++] = psz; ppsz_new = realloc( lines, (n + 1) * sizeof (char *) );
if( txt->i_line_count >= i_line_max ) if( ppsz_new == NULL )
{ {
char **ppsz_old = txt->line; free( psz );
break;
i_line_max += 100;
txt->line = realloc( txt->line, i_line_max * sizeof( char*) );
if( !txt->line )
{
free( ppsz_old );
break;
}
} }
lines = ppsz_new;
lines[n++] = psz;
} }
if( txt->i_line_count <= 0 ) txt->i_line_count = 0;
{ txt->i_line = n;
free( txt->line ); txt->line = lines;
return VLC_EGENERIC;
}
return VLC_SUCCESS; return VLC_SUCCESS;
} }
static void TextUnload( text_t *txt ) static void TextUnload( text_t *txt )
{ {
int i; int i;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment