[vlc-commits] AVI: fix heap buffer overflow (CVE-2011-2588)
Rémi Denis-Courmont
git at videolan.org
Tue Jul 12 19:47:55 CEST 2011
vlc | branch: master | Rémi Denis-Courmont <remi at remlab.net> | Sun Jul 10 23:14:40 2011 +0300| [9c14964bd11482d5c1d6c0e223440f9f1e5b1831] | committer: Rémi Denis-Courmont
AVI: fix heap buffer overflow (CVE-2011-2588)
> http://git.videolan.org/gitweb.cgi/vlc.git/?a=commit;h=9c14964bd11482d5c1d6c0e223440f9f1e5b1831
---
modules/demux/avi/libavi.c | 5 +++--
1 files changed, 3 insertions(+), 2 deletions(-)
diff --git a/modules/demux/avi/libavi.c b/modules/demux/avi/libavi.c
index d5d46ef..ee7e6f8 100644
--- a/modules/demux/avi/libavi.c
+++ b/modules/demux/avi/libavi.c
@@ -384,7 +384,8 @@ static int AVI_ChunkRead_strf( stream_t *s, avi_chunk_t *p_chk )
case( AVIFOURCC_vids ):
p_strh->strh.i_samplesize = 0; /* XXX for ffmpeg avi file */
p_chk->strf.vids.i_cat = VIDEO_ES;
- p_chk->strf.vids.p_bih = malloc( p_chk->common.i_chunk_size );
+ p_chk->strf.vids.p_bih = malloc( __MAX( p_chk->common.i_chunk_size,
+ sizeof( *p_chk->strf.vids.p_bih ) ) );
AVI_READ4BYTES( p_chk->strf.vids.p_bih->biSize );
AVI_READ4BYTES( p_chk->strf.vids.p_bih->biWidth );
AVI_READ4BYTES( p_chk->strf.vids.p_bih->biHeight );
@@ -400,7 +401,7 @@ static int AVI_ChunkRead_strf( stream_t *s, avi_chunk_t *p_chk )
{
p_chk->strf.vids.p_bih->biSize = p_chk->common.i_chunk_size;
}
- if( p_chk->common.i_chunk_size - sizeof(BITMAPINFOHEADER) > 0 )
+ if( p_chk->common.i_chunk_size > sizeof(BITMAPINFOHEADER) )
{
memcpy( &p_chk->strf.vids.p_bih[1],
p_buff + 8 + sizeof(BITMAPINFOHEADER), /* 8=fourrc+size */
More information about the vlc-commits
mailing list