codec: schroedinger: fix potential buffer overflow.

The variable len is a raw 32 bit value read using GetDWBE. If this value is larger than UINT32_MAX - sizeof(eos), this will cause an integer overflow in the subsequent call to malloc, and finally a buffer overflow when calling memcpy. We fix this by checking len accordingly. Signed-off-by: Jean-Baptiste Kempf <jb@videolan.org>

codec: schroedinger: fix potential buffer overflow.
The variable len is a raw 32 bit value read using GetDWBE. If this value is larger than UINT32_MAX - sizeof(eos), this will cause an integer overflow in the subsequent call to malloc, and finally a buffer overflow when calling memcpy. We fix this by checking len accordingly. Signed-off-by: Jean-Baptiste Kempf <jb@videolan.org>
9bb0353a · Fabian Yamaguchi · Jean-Baptiste Kempf · ff0fab9d · 9bb0353a
Commit 9bb0353a authored Dec 05, 2014 by Fabian Yamaguchi Committed by Jean-Baptiste Kempf Dec 06, 2014
Hide whitespace changes
Inline Side-by-side

Showing with 4 additions and 0 deletions

modules/codec/schroedinger.c modules/codec/schroedinger.c +4 -0

No files found.
--- a/modules/codec/schroedinger.c
+++ b/modules/codec/schroedinger.c
@@ -1548,6 +1548,10 @@ static block_t *Encode( encoder_t *p_enc, picture_t *p_pic )
                     * is appended to the sequence header to allow guard
                     * against poor streaming servers */
                    /* XXX, should this be done using the packetizer ? */
+
+                    if( len > UINT32_MAX - sizeof( eos ) )
+                        return NULL;
+
                    p_enc->fmt_out.p_extra = malloc( len + sizeof( eos ) );
                    if( !p_enc->fmt_out.p_extra )
                        return NULL;