[vlc-commits] AVI: fix heap buffer overflow (CVE-2011-2588)

Rémi Denis-Courmont git at videolan.org
Tue Jul 12 20:00:49 CEST 2011


vlc/vlc-1.1 | branch: master | Rémi Denis-Courmont <remi at remlab.net> | Sun Jul 10 23:14:40 2011 +0300| [6953ce0862161d09c2b7ca8686a550527a11b9a2] | committer: Rémi Denis-Courmont

AVI: fix heap buffer overflow (CVE-2011-2588)

(cherry picked from commit 9c14964bd11482d5c1d6c0e223440f9f1e5b1831)

> http://git.videolan.org/gitweb.cgi/vlc/vlc-1.1.git/?a=commit;h=6953ce0862161d09c2b7ca8686a550527a11b9a2
---

 modules/demux/avi/libavi.c |    5 +++--
 1 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/modules/demux/avi/libavi.c b/modules/demux/avi/libavi.c
index 7dbf959..c92e1f1 100644
--- a/modules/demux/avi/libavi.c
+++ b/modules/demux/avi/libavi.c
@@ -386,7 +386,8 @@ static int AVI_ChunkRead_strf( stream_t *s, avi_chunk_t *p_chk )
         case( AVIFOURCC_vids ):
             p_strh->strh.i_samplesize = 0; /* XXX for ffmpeg avi file */
             p_chk->strf.vids.i_cat = VIDEO_ES;
-            p_chk->strf.vids.p_bih = malloc( p_chk->common.i_chunk_size );
+            p_chk->strf.vids.p_bih = malloc( __MAX( p_chk->common.i_chunk_size,
+                                         sizeof( *p_chk->strf.vids.p_bih ) ) );
             AVI_READ4BYTES( p_chk->strf.vids.p_bih->biSize );
             AVI_READ4BYTES( p_chk->strf.vids.p_bih->biWidth );
             AVI_READ4BYTES( p_chk->strf.vids.p_bih->biHeight );
@@ -402,7 +403,7 @@ static int AVI_ChunkRead_strf( stream_t *s, avi_chunk_t *p_chk )
             {
                 p_chk->strf.vids.p_bih->biSize = p_chk->common.i_chunk_size;
             }
-            if( p_chk->common.i_chunk_size - sizeof(BITMAPINFOHEADER) > 0 )
+            if( p_chk->common.i_chunk_size > sizeof(BITMAPINFOHEADER) )
             {
                 memcpy( &p_chk->strf.vids.p_bih[1],
                         p_buff + 8 + sizeof(BITMAPINFOHEADER), /* 8=fourrc+size */



More information about the vlc-commits mailing list