Commit eb9963eb authored by Rémi Denis-Courmont's avatar Rémi Denis-Courmont

Real: fix integer overflow

This is trivially exploitable to run code.

Pointed-out-by: Tobias Klein
parent 56acdf5c
......@@ -928,13 +928,10 @@ static void ReadRealIndex( demux_t *p_demux )
msg_Dbg( p_demux, "Real Index: Does next index exist? %d ",
GetDWBE( &buffer[16] ) );
p_sys->p_index =
(rm_index_t *)malloc( sizeof( rm_index_t ) * (i_index_count+1) );
p_sys->p_index = calloc( i_index_count + 1, sizeof( rm_index_t ) );
if( p_sys->p_index == NULL )
return;
memset( p_sys->p_index, 0, sizeof(rm_index_t) * (i_index_count+1) );
for( i=0; i<i_index_count; i++ )
{
if( stream_Read( p_demux->s, buffer, 14 ) < 14 )
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment