Commit a520ae9e authored by Nickolai Zeldovich's avatar Nickolai Zeldovich Committed by Rémi Denis-Courmont

modules/services_discovery/sap.c: avoid out-of-bounds write

After OpenDemux reads data using stream_Read(), it writes a '\0' to
the buffer after the newly-read data, but if the stream returned exactly
i_read_max bytes, this '\0' will end up just past the end of the allocated
psz_sdp array (see the call to realloc at the beginning of the loop).
Adjust the realloc call to allocate this one extra byte.
Signed-off-by: default avatarRémi Denis-Courmont <remi@remlab.net>
(cherry picked from commit dee928705dd32839317dca0e77089b02dd720763)
parent 2973e24a
...@@ -348,7 +348,7 @@ static int OpenDemux( vlc_object_t *p_this ) ...@@ -348,7 +348,7 @@ static int OpenDemux( vlc_object_t *p_this )
for( i_len = 0, psz_sdp = NULL; i_len < 65536; ) for( i_len = 0, psz_sdp = NULL; i_len < 65536; )
{ {
const int i_read_max = 1024; const int i_read_max = 1024;
char *psz_sdp_new = realloc( psz_sdp, i_len + i_read_max ); char *psz_sdp_new = realloc( psz_sdp, i_len + i_read_max + 1 );
size_t i_read; size_t i_read;
if( psz_sdp_new == NULL ) if( psz_sdp_new == NULL )
{ {
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment