Commit fbe2837b authored by Fabian Yamaguchi's avatar Fabian Yamaguchi Committed by Jean-Baptiste Kempf

misc: update: fix buffer overflow in updater

On 32 bit builds, parsing of update status files with a size of
4294967295 or more lead to an integer truncation in a call to malloc
and a subsequent buffer overflow. This happened prior to checking the
files' signature. The commit fixes this by disallowing overly large
status files (above 65k in practice)
Signed-off-by: default avatarJean-Baptiste Kempf <jb@videolan.org>
parent 3a71b317
...@@ -193,6 +193,13 @@ static bool GetUpdateFile( update_t *p_update ) ...@@ -193,6 +193,13 @@ static bool GetUpdateFile( update_t *p_update )
} }
const int64_t i_read = stream_Size( p_stream ); const int64_t i_read = stream_Size( p_stream );
if( i_read < 0 || i_read >= UINT16_MAX)
{
msg_Err(p_update->p_libvlc, "Status file too large");
goto error;
}
psz_update_data = malloc( i_read + 1 ); /* terminating '\0' */ psz_update_data = malloc( i_read + 1 ); /* terminating '\0' */
if( !psz_update_data ) if( !psz_update_data )
goto error; goto error;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment