Commit 95491aa7 authored by Rémi Denis-Courmont's avatar Rémi Denis-Courmont

Fix buffer overflow

Pointed-out-by. Tobias Klein <tk@trapkit.de>
parent 337c8691
...@@ -820,6 +820,7 @@ static int OpenVCDImage( vlc_object_t * p_this, const char *psz_dev, ...@@ -820,6 +820,7 @@ static int OpenVCDImage( vlc_object_t * p_this, const char *psz_dev,
char *psz_vcdfile = NULL; char *psz_vcdfile = NULL;
char *psz_cuefile = NULL; char *psz_cuefile = NULL;
FILE *cuefile = NULL; FILE *cuefile = NULL;
int *p_sectors = NULL;
char line[1024]; char line[1024];
bool b_found = false; bool b_found = false;
...@@ -858,7 +859,6 @@ static int OpenVCDImage( vlc_object_t * p_this, const char *psz_dev, ...@@ -858,7 +859,6 @@ static int OpenVCDImage( vlc_object_t * p_this, const char *psz_dev,
cuefile = utf8_fopen( psz_cuefile, "rt" ); cuefile = utf8_fopen( psz_cuefile, "rt" );
if( cuefile == NULL ) if( cuefile == NULL )
{ {
i_ret = -1;
msg_Dbg( p_this, "could not find .cue file" ); msg_Dbg( p_this, "could not find .cue file" );
goto error; goto error;
} }
...@@ -904,58 +904,56 @@ static int OpenVCDImage( vlc_object_t * p_this, const char *psz_dev, ...@@ -904,58 +904,56 @@ static int OpenVCDImage( vlc_object_t * p_this, const char *psz_dev,
} }
if( p_vcddev->i_vcdimage_handle == -1) if( p_vcddev->i_vcdimage_handle == -1)
{
i_ret = -1;
goto error; goto error;
}
else i_ret = 0;
/* Try to parse the i_tracks and p_sectors info so we can just forget /* Try to parse the i_tracks and p_sectors info so we can just forget
* about the cuefile */ * about the cuefile */
if( i_ret == 0 ) size_t i_tracks = 0;
{
int p_sectors[100];
int i_tracks = 0;
int i_num;
char psz_dummy[10];
while( fgets( line, 1024, cuefile ) ) while( fgets( line, 1024, cuefile ) )
{ {
/* look for a TRACK line */ /* look for a TRACK line */
if( !sscanf( line, "%9s", psz_dummy ) || char psz_dummy[9];
strcmp(psz_dummy, "TRACK") ) if( !sscanf( line, "%9s", psz_dummy ) || strcmp(psz_dummy, "TRACK") )
continue; continue;
/* look for an INDEX line */ /* look for an INDEX line */
while( fgets( line, 1024, cuefile ) ) while( fgets( line, 1024, cuefile ) )
{ {
int i_min, i_sec, i_frame; int i_num, i_min, i_sec, i_frame;
if( (sscanf( line, "%9s %2u %2u:%2u:%2u", psz_dummy, &i_num, if( (sscanf( line, "%*9s %2u %2u:%2u:%2u", &i_num,
&i_min, &i_sec, &i_frame ) != 5) || (i_num != 1) ) &i_min, &i_sec, &i_frame ) != 4) || (i_num != 1) )
continue; continue;
i_tracks++; int *buf = realloc (p_sectors, (i_tracks + 1) * sizeof (int));
p_sectors[i_tracks - 1] = MSF_TO_LBA(i_min, i_sec, i_frame); if (buf == NULL)
goto error;
p_sectors = buf;
p_sectors[i_tracks] = MSF_TO_LBA(i_min, i_sec, i_frame);
msg_Dbg( p_this, "vcd track %i begins at sector:%i", msg_Dbg( p_this, "vcd track %i begins at sector:%i",
i_tracks - 1, p_sectors[i_tracks - 1] ); i_tracks, p_sectors[i_tracks] );
i_tracks++;
break; break;
} }
} }
/* fill in the last entry */ /* fill in the last entry */
int *buf = realloc (p_sectors, (i_tracks + 1) * sizeof (int));
if (buf == NULL)
goto error;
p_sectors = buf;
p_sectors[i_tracks] = lseek(p_vcddev->i_vcdimage_handle, 0, SEEK_END) p_sectors[i_tracks] = lseek(p_vcddev->i_vcdimage_handle, 0, SEEK_END)
/ VCD_SECTOR_SIZE; / VCD_SECTOR_SIZE;
msg_Dbg( p_this, "vcd track %i, begins at sector:%i", msg_Dbg( p_this, "vcd track %i, begins at sector:%i",
i_tracks, p_sectors[i_tracks] ); i_tracks, p_sectors[i_tracks] );
p_vcddev->i_tracks = i_tracks; p_vcddev->i_tracks = ++i_tracks;
p_vcddev->p_sectors = malloc( (i_tracks + 1) * sizeof(int) ); p_vcddev->p_sectors = p_sectors;
memcpy( p_vcddev->p_sectors, p_sectors, (i_tracks + 1) * sizeof(int) ); i_ret = 0;
}
error: error:
if( cuefile ) fclose( cuefile ); if( cuefile ) fclose( cuefile );
free( p_sectors );
free( psz_cuefile ); free( psz_cuefile );
free( psz_vcdfile ); free( psz_vcdfile );
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment