[vlc-commits] commit: dvdnav: fix potential buffer read overflow ( Rémi Denis-Courmont )

[git at videolan.org]

vlc/vlc-1.1 | branch: master | Rémi Denis-Courmont <remi at remlab.net> | Sun Oct 10 13:21:42 2010 +0300| [37dbfdd2cbda1f9b494744436defdc77131cc57a] | committer: Rémi Denis-Courmont 

dvdnav: fix potential buffer read overflow

(cherry picked from commit d626e6783470e2476b0b61d1c00aa2fe35d03bba)

Conflicts:

	modules/access/dvdnav.c

> http://git.videolan.org/gitweb.cgi/vlc/vlc-1.1.git/?a=commit;h=37dbfdd2cbda1f9b494744436defdc77131cc57a
---

 modules/access/dvdnav.c |   11 +++++------
 1 files changed, 5 insertions(+), 6 deletions(-)

diff --git a/modules/access/dvdnav.c b/modules/access/dvdnav.c
index 019f727..af09f13 100644
--- a/modules/access/dvdnav.c
+++ b/modules/access/dvdnav.c
@@ -1136,16 +1136,14 @@ static void ESSubtitleUpdate( demux_t *p_demux )
 /*****************************************************************************
  * DemuxBlock: demux a given block
  *****************************************************************************/
-static int DemuxBlock( demux_t *p_demux, const uint8_t *pkt, int i_pkt )
+static int DemuxBlock( demux_t *p_demux, const uint8_t *p, int len )
 {
     demux_sys_t *p_sys = p_demux->p_sys;
-    const uint8_t     *p = pkt;
 
-    while( (p - pkt) <= (i_pkt - 6) )
+    while( len > 0 )
     {
-        /* ps_pkt_size() needs at least 6 bytes */
-        int i_size = ps_pkt_size( p, &pkt[i_pkt] - p );
-        if( i_size <= 0 )
+        int i_size = ps_pkt_size( p, len );
+        if( i_size <= 0 || i_size > len )
         {
             break;
         }
@@ -1215,6 +1213,7 @@ static int DemuxBlock( demux_t *p_demux, const uint8_t *pkt, int i_pkt )
         }
 
         p += i_size;
+        len -= i_size;
     }
 
     return VLC_SUCCESS;