[vlc-commits] [Git][videolan/vlc][master] 4 commits: mms: use const in mms_ParsePacket()

Steve Lhomme (@robUx4) gitlab at videolan.org
Tue Jan 30 07:34:39 UTC 2024 


Steve Lhomme pushed to branch master at VideoLAN / VLC


Commits:
8724a302 by Thomas Guillem at 2024-01-30T07:10:58+00:00
mms: use const in mms_ParsePacket()

- - - - -
16dbe955 by Thomas Guillem at 2024-01-30T07:10:58+00:00
mms: decrease i_packet_length in only one place

- - - - -
de2f34e7 by Thomas Guillem at 2024-01-30T07:10:58+00:00
mms: return -1 in case of error

The function calling mms_ParsePacket() is expecting -1 (for error) or a
valid positive integer for success.

- - - - -
d1ca10c6 by Thomas Guillem at 2024-01-30T07:10:58+00:00
mms: fix potential integer overflow

That could lead to a heap buffer overflow.

Thanks Andreas Fobian for the report.

- - - - -


1 changed file:

- modules/access/mms/mmstu.c


Changes:

=====================================
modules/access/mms/mmstu.c
=====================================
@@ -1238,7 +1238,7 @@ static int  mms_ParseCommand( stream_t *p_access,
 }
 
 static int  mms_ParsePacket( stream_t *p_access,
-                             uint8_t *p_data, size_t i_data,
+                             const uint8_t *p_data, size_t i_data,
                              size_t *pi_used )
 {
     access_sys_t        *p_sys = p_access->p_sys;
@@ -1298,21 +1298,24 @@ static int  mms_ParsePacket( stream_t *p_access,
 #endif
     }
     p_sys->i_packet_seq_num = i_packet_seq_num + 1;
+    i_packet_length -= 8; // don't bother with preheader
 
     if( i_packet_id == p_sys->i_header_packet_id_type )
     {
-        uint8_t *p_reaced = realloc( p_sys->p_header,
-                                     p_sys->i_header + i_packet_length - 8 );
+        size_t new_header_size;
+        if( add_overflow( p_sys->i_header, i_packet_length, &new_header_size ) )
+            return -1;
+        uint8_t *p_reaced = realloc( p_sys->p_header, new_header_size );
         if( !p_reaced )
-            return VLC_ENOMEM;
+            return -1;
 
-        memcpy( &p_reaced[p_sys->i_header], p_data + 8, i_packet_length - 8 );
+        memcpy( &p_reaced[p_sys->i_header], p_data + 8, i_packet_length );
         p_sys->p_header = p_reaced;
-        p_sys->i_header += i_packet_length - 8;
+        p_sys->i_header = new_header_size;
 
 /*        msg_Dbg( p_access,
                  "receive header packet (%d bytes)",
-                 i_packet_length - 8 ); */
+                 i_packet_length ); */
 
         return MMS_PACKET_HEADER;
     }
@@ -1322,15 +1325,15 @@ static int  mms_ParsePacket( stream_t *p_access,
         p_sys->i_media = 0;
         p_sys->i_media_used = 0;
 
-        p_sys->p_media = malloc( i_packet_length - 8 ); // don't bother with preheader
+        p_sys->p_media = malloc( i_packet_length );
         if( !p_sys->p_media )
-            return VLC_ENOMEM;
+            return -1;
 
-        p_sys->i_media = i_packet_length - 8;
+        p_sys->i_media = i_packet_length;
         memcpy( p_sys->p_media, p_data + 8, p_sys->i_media );
 /*        msg_Dbg( p_access,
                  "receive media packet (%d bytes)",
-                 i_packet_length - 8 ); */
+                 i_packet_length ); */
 
         return MMS_PACKET_MEDIA;
     }



View it on GitLab: https://code.videolan.org/videolan/vlc/-/compare/de03f1e026976220eab1c6b8d091e93a4760194f...d1ca10c62bf80a71fa21857f2f97762b71136cb4

-- 
View it on GitLab: https://code.videolan.org/videolan/vlc/-/compare/de03f1e026976220eab1c6b8d091e93a4760194f...d1ca10c62bf80a71fa21857f2f97762b71136cb4
You're receiving this email because of your account on code.videolan.org.


VideoLAN code repository instance

More information about the vlc-commits mailing list