modules/services_discovery/sap.c: avoid out-of-bounds write

After OpenDemux reads data using stream_Read(), it writes a '\0' to the buffer after the newly-read data, but if the stream returned exactly i_read_max bytes, this '\0' will end up just past the end of the allocated psz_sdp array (see the call to realloc at the beginning of the loop). Adjust the realloc call to allocate this one extra byte. Signed-off-by: Rémi Denis-Courmont <remi@remlab.net> (cherry picked from commit dee928705dd32839317dca0e77089b02dd720763)

modules/services_discovery/sap.c: avoid out-of-bounds write
After OpenDemux reads data using stream_Read(), it writes a '\0' to the buffer after the newly-read data, but if the stream returned exactly i_read_max bytes, this '\0' will end up just past the end of the allocated psz_sdp array (see the call to realloc at the beginning of the loop). Adjust the realloc call to allocate this one extra byte. Signed-off-by: Rémi Denis-Courmont <remi@remlab.net> (cherry picked from commit dee928705dd32839317dca0e77089b02dd720763)
a520ae9e · Nickolai Zeldovich · Rémi Denis-Courmont · 2973e24a · a520ae9e
Commit a520ae9e authored Jan 16, 2013 by Nickolai Zeldovich Committed by Rémi Denis-Courmont Jan 17, 2013
Show whitespace changes
Inline Side-by-side

Showing with 1 addition and 1 deletion

modules/services_discovery/sap.c modules/services_discovery/sap.c +1 -1

No files found.
--- a/modules/services_discovery/sap.c
+++ b/modules/services_discovery/sap.c
@@ -348,7 +348,7 @@ static int OpenDemux( vlc_object_t *p_this )
    for( i_len = 0, psz_sdp = NULL; i_len < 65536; )
    {
        const int i_read_max = 1024;
-        char *psz_sdp_new = realloc( psz_sdp, i_len + i_read_max );
+        char *psz_sdp_new = realloc( psz_sdp, i_len + i_read_max + 1 );
        size_t i_read;
        if( psz_sdp_new == NULL )
        {