misc: update: fix buffer overflow in updater

On 32 bit builds, parsing of update status files with a size of 4294967295 or more lead to an integer truncation in a call to malloc and a subsequent buffer overflow. This happened prior to checking the files' signature. The commit fixes this by disallowing overly large status files (above 65k in practice) Signed-off-by: Jean-Baptiste Kempf <jb@videolan.org>

misc: update: fix buffer overflow in updater
On 32 bit builds, parsing of update status files with a size of 4294967295 or more lead to an integer truncation in a call to malloc and a subsequent buffer overflow. This happened prior to checking the files' signature. The commit fixes this by disallowing overly large status files (above 65k in practice) Signed-off-by: Jean-Baptiste Kempf <jb@videolan.org>
fbe2837b · Fabian Yamaguchi · Jean-Baptiste Kempf · 3a71b317 · fbe2837b
Commit fbe2837b authored Dec 06, 2014 by Fabian Yamaguchi Committed by Jean-Baptiste Kempf Dec 10, 2014
Show whitespace changes
Inline Side-by-side

Showing with 7 additions and 0 deletions

src/misc/update.c src/misc/update.c +7 -0

No files found.
--- a/src/misc/update.c
+++ b/src/misc/update.c
@@ -193,6 +193,13 @@ static bool GetUpdateFile( update_t *p_update )
    }

    const int64_t i_read = stream_Size( p_stream );
+
+    if( i_read < 0 || i_read >= UINT16_MAX)
+    {
+        msg_Err(p_update->p_libvlc, "Status file too large");
+        goto error;
+    }
+
    psz_update_data = malloc( i_read + 1 ); /* terminating '\0' */
    if( !psz_update_data )
        goto error;