[vlc-commits] real: fix heap buffer overflow (CVE-2011-2587)
Rémi Denis-Courmont
git at videolan.org
Tue Jul 12 20:00:49 CEST 2011
vlc/vlc-1.1 | branch: master | Rémi Denis-Courmont <remi at remlab.net> | Sun Jul 10 23:36:31 2011 +0300| [3e7f0de57218f76a77f6b1759970e8740fd6ef0c] | committer: Rémi Denis-Courmont
real: fix heap buffer overflow (CVE-2011-2587)
(cherry picked from commit 1bce40644cddee93b4b1877a94a6ce345f32852c)
> http://git.videolan.org/gitweb.cgi/vlc/vlc-1.1.git/?a=commit;h=3e7f0de57218f76a77f6b1759970e8740fd6ef0c
---
modules/demux/real.c | 4 ++--
1 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/modules/demux/real.c b/modules/demux/real.c
index 269ded3..b0e2677 100644
--- a/modules/demux/real.c
+++ b/modules/demux/real.c
@@ -841,7 +841,8 @@ static void DemuxAudioSipr( demux_t *p_demux, real_track_t *tk, mtime_t i_pts )
demux_sys_t *p_sys = p_demux->p_sys;
block_t *p_block = tk->p_sipr_packet;
- if( p_sys->i_buffer < tk->i_frame_size )
+ if( p_sys->i_buffer < tk->i_frame_size
+ || tk->i_sipr_subpacket_count >= tk->i_subpacket_h )
return;
if( !p_block )
@@ -851,7 +852,6 @@ static void DemuxAudioSipr( demux_t *p_demux, real_track_t *tk, mtime_t i_pts )
return;
tk->p_sipr_packet = p_block;
}
-
memcpy( p_block->p_buffer + tk->i_sipr_subpacket_count * tk->i_frame_size,
p_sys->buffer, tk->i_frame_size );
if (!tk->i_sipr_subpacket_count)
More information about the vlc-commits
mailing list