[vlc-commits] Fix stack overflow in ExecuteCommand

Mon Dec 19 02:44:06 CET 2011

vlc | branch: master | Cheng Sun <chengsun9 at gmail.com> | Thu Dec 15 17:10:52 2011 +0000| [e183a26d4346a5b05a276cde0fd97d33b8cfe72b] | committer: Jean-Baptiste Kempf

Fix stack overflow in ExecuteCommand

Close #5675

Because ExecuteCommand allocates temporary string space on the stack,
proportional to the length of the command to execute, a stack overflow can
occur when the the command is too long.

This can be triggered remotely e.g. from the VLC Web interface, by
running this JavaScript:

sendVLMCmd(Array.prototype.join.call({length:300000},'a'));

which sends a string of length 300000 to ExecuteCommand, crashing VLC.

OKed-by: Rafaël Carré <funman at videolan.org>
Signed-off-by: Jean-Baptiste Kempf <jb at videolan.org>

> http://git.videolan.org/gitweb.cgi/vlc.git/?a=commit;h=e183a26d4346a5b05a276cde0fd97d33b8cfe72b
---

 src/input/vlmshell.c |   28 +++++++++++++++++++++++-----
 1 files changed, 23 insertions(+), 5 deletions(-)

diff --git a/src/input/vlmshell.c b/src/input/vlmshell.c
index ab00d67..afa7ed2 100644
--- a/src/input/vlmshell.c
+++ b/src/input/vlmshell.c
@@ -847,9 +847,20 @@ int ExecuteCommand( vlm_t *p_vlm, const char *psz_command,
                            vlm_message_t **pp_message )
 {
     size_t i_command = 0;
-    char buf[strlen (psz_command) + 1], *psz_buf = buf;
-    char *ppsz_command[3+sizeof (buf) / 2];
+    size_t i_command_len = strlen( psz_command );
+    char *buf = malloc( i_command_len + 1 ), *psz_buf = buf;
+    size_t i_ppsz_command_len = (3 + (i_command_len + 1) / 2);
+    char **ppsz_command = malloc( i_ppsz_command_len * sizeof(char *) );
     vlm_message_t *p_message = NULL;
+    int i_ret = 0;
+
+    if( !psz_buf || !ppsz_command )
+    {
+        p_message = vlm_MessageNew( ppsz_command[0],
+                        "Memory allocation failed for command of length %zu",
+                        i_command_len );
+        goto error;
+    }
 
     /* First, parse the line and cut it */
     while( *psz_command != '\0' )
@@ -877,7 +888,7 @@ int ExecuteCommand( vlm_t *p_vlm, const char *psz_command,
             goto error;
         }
 
-        assert (i_command < (sizeof (ppsz_command) / sizeof (ppsz_command[0])));
+        assert (i_command < i_ppsz_command_len);
 
         ppsz_command[i_command] = psz_buf;
         memcpy (psz_buf, psz_command, psz_temp - psz_command);
@@ -889,7 +900,7 @@ int ExecuteCommand( vlm_t *p_vlm, const char *psz_command,
         psz_buf += psz_temp - psz_command + 1;
         psz_command = psz_temp;
 
-        assert (buf + sizeof (buf) >= psz_buf);
+        assert (buf + i_command_len + 1 >= psz_buf);
     }
 
     /*
@@ -920,13 +931,20 @@ int ExecuteCommand( vlm_t *p_vlm, const char *psz_command,
 
 success:
     *pp_message = p_message;
+    free( buf );
+    free( ppsz_command );
     return VLC_SUCCESS;
 
 syntax_error:
-    return ExecuteSyntaxError( ppsz_command[0], pp_message );
+    i_ret = ExecuteSyntaxError( ppsz_command[0], pp_message );
+    free( buf );
+    free( ppsz_command );
+    return i_ret;
 
 error:
     *pp_message = p_message;
+    free( buf );
+    free( ppsz_command );
     return VLC_EGENERIC;
 }
 

