[vlc-commits] commit: dvdread: fix potential buffer read overflow (fix #4238) ( Rémi Denis-Courmont )

git at videolan.org git at videolan.org
Sun Oct 10 12:26:33 CEST 2010 

vlc/vlc-1.1 | branch: master | Rémi Denis-Courmont <remi at remlab.net> | Sun Oct 10 13:22:10 2010 +0300| [37537d857fe06dbffce5e031fee1eeae59fa4076] | committer: Rémi Denis-Courmont 

dvdread: fix potential buffer read overflow (fix #4238)

(cherry picked from commit c4fc30952da85a6d7bc750c4fb0884eb5f206308)

Conflicts:

	modules/access/dvdread.c

> http://git.videolan.org/gitweb.cgi/vlc/vlc-1.1.git/?a=commit;h=37537d857fe06dbffce5e031fee1eeae59fa4076
---

 modules/access/dvdread.c |   20 +++++++-------------
 1 files changed, 7 insertions(+), 13 deletions(-)

diff --git a/modules/access/dvdread.c b/modules/access/dvdread.c
index fd32b6a..af93fb3 100644
--- a/modules/access/dvdread.c
+++ b/modules/access/dvdread.c
@@ -157,7 +157,7 @@ struct demux_sys_t
 
 static int Control   ( demux_t *, int, va_list );
 static int Demux     ( demux_t * );
-static int DemuxBlock( demux_t *, uint8_t *, int );
+static int DemuxBlock( demux_t *, const uint8_t *, int );
 
 static void DemuxTitles( demux_t *, int * );
 static void ESNew( demux_t *, int, int );
@@ -564,27 +564,20 @@ static int Demux( demux_t *p_demux )
 /*****************************************************************************
  * DemuxBlock: demux a given block
  *****************************************************************************/
-static int DemuxBlock( demux_t *p_demux, uint8_t *pkt, int i_pkt )
+static int DemuxBlock( demux_t *p_demux, const uint8_t *p, int len )
 {
     demux_sys_t *p_sys = p_demux->p_sys;
-    uint8_t     *p = pkt;
 
-    while( p && p < &pkt[i_pkt] )
+    while( len > 0 )
     {
-        block_t *p_pkt;
-        int i_size = &pkt[i_pkt] - p;
-
-        if( i_size < 6 )
-            break;
- 
-        i_size = ps_pkt_size( p, i_size );
-        if( i_size <= 0 )
+        int i_size = ps_pkt_size( p, len );
+        if( i_size <= 0 || i_size > len )
         {
             break;
         }
 
         /* Create a block */
-        p_pkt = block_New( p_demux, i_size );
+        block_t *p_pkt = block_New( p_demux, i_size );
         memcpy( p_pkt->p_buffer, p, i_size);
 
         /* Parse it and send it */
@@ -649,6 +642,7 @@ static int DemuxBlock( demux_t *p_demux, uint8_t *pkt, int i_pkt )
         }
 
         p += i_size;
+        len -= i_size;
     }
 
     return VLC_SUCCESS;

More information about the vlc-commits mailing list